Duh - Microsoft: "Our products aren't engineered for security"

Duh - Microsoft: "Our products aren't engineered for security"

Post by David Mohri » Sat, 07 Sep 2002 17:41:48



Microsoft: 'Our products aren't engineered for security'
CW360.com Sep 6 2002 4:16AM ET...
http://c.moreover.com/click/here.pl?r46677969
+
+Friday 6 September 2002
+Brian Valentine, senior vice-president in charge of Microsoft's
+Windows development, has made a grim admission to the Microsoft
+Windows Server .net developer conference in Seattle, USA.
+
+"I'm not proud," he told delegates yesterday (5 September). "We
+really haven't done everything we could to protect our customers.
+Our products just aren't engineered for security," admitted
+Valentine, who since 1998 has headed Microsoft's Windows division.
+
...
+"It's impossible to solve the problem completely," Valentine said.
+"As we solve these problems there are hackers who are going to
+come up with new ones. There's no end to this."

It looks like the folks at Microsoft are discovering something
that has been known for decades...

The First Law of IT Security.
 Security is not an addon, it has to be a fundamental property
 of the system and the applications, both in the implimentation
 and the design.

Listen to Dr. Blaine Burnham, Director, Georgia Tech Information
Security Center (GTISC) and previously with the National Security
Agency (NSA) ...
http://technetcast.ddj.com/tnc_play_stream.html?stream_id=411

David Mohring - Hint - http://www.dwheeler.com/secure-programs/

 
 
 

Duh - Microsoft: "Our products aren't engineered for security"

Post by Paul Cook » Sat, 07 Sep 2002 20:58:16



comp.os.linux.advocacy to propose the following:

Quote:> Microsoft: 'Our products aren't engineered for security'
> CW360.com Sep 6 2002 4:16AM ET...
> http://c.moreover.com/click/here.pl?r46677969
> +
> +Friday 6 September 2002
> +Brian Valentine, senior vice-president in charge of Microsoft's
> +Windows development, has made a grim admission to the Microsoft
> +Windows Server .net developer conference in Seattle, USA.
> +
> +"I'm not proud," he told delegates yesterday (5 September). "We
> +really haven't done everything we could to protect our customers.
> +Our products just aren't engineered for security," admitted
> +Valentine, who since 1998 has headed Microsoft's Windows division.
> +
> ...
> +"It's impossible to solve the problem completely," Valentine said.
> +"As we solve these problems there are hackers who are going to
> +come up with new ones. There's no end to this."

> It looks like the folks at Microsoft are discovering something
> that has been known for decades...

The link given above is now dead and gives the following message:

|This CW360 page is currently unavailable
|
|We apologise for any inconvenience.
|
|Please try again later.

However, going up to the root address <http://www.cw360.com> lets you
access the story anyway, but with an absolutely monstrous session
generated link if you were to try to quote it...

noticed that they've got a big special on Linux under the heading "Linux
Means Business"... lots of good articles in there to quote from aginst
the FUD that's being spread in here by the winvocates...

<http://www.cw360.com/article&rd=&i=&ard=114162&fv=1&ref=1_1_0_3>

Quote:

> The First Law of IT Security.
>  Security is not an addon, it has to be a fundamental property
>  of the system and the applications, both in the implimentation
>  and the design.

> Listen to Dr. Blaine Burnham, Director, Georgia Tech Information
> Security Center (GTISC) and previously with the National Security
> Agency (NSA) ...
> http://technetcast.ddj.com/tnc_play_stream.html?stream_id=411

> David Mohring - Hint - http://www.dwheeler.com/secure-programs/

--
Paul Cooke
  Registered Linux user 273897 Machine registration number 156819
  Linux Counter: Home Page = http://counter.li.org/

 
 
 

Duh - Microsoft: "Our products aren't engineered for security"

Post by Craig Kelle » Sat, 07 Sep 2002 20:58:22



> Microsoft: 'Our products aren't engineered for security'
> CW360.com Sep 6 2002 4:16AM ET...
> http://c.moreover.com/click/here.pl?r46677969

B-)

B-b-b-b-b-but NT has class C certification!

--

protected from being read by the DMCA and all other WIPO treaty nations.

 
 
 

Duh - Microsoft: "Our products aren't engineered for security"

Post by David Mohri » Sat, 07 Sep 2002 20:31:25


On Fri, 06 Sep 2002 18:58:16 +0000,


>comp.os.linux.advocacy to propose the following:

>> Microsoft: 'Our products aren't engineered for security'
>> CW360.com Sep 6 2002 4:16AM ET...
>> http://www.veryComputer.com/
>> +
>> +Friday 6 September 2002
>> +Brian Valentine, senior vice-president in charge of Microsoft's
>> +Windows development, has made a grim admission to the Microsoft
>> +Windows Server .net developer conference in Seattle, USA.
>> +
>> +"I'm not proud," he told delegates yesterday (5 September). "We
>> +really haven't done everything we could to protect our customers.
>> +Our products just aren't engineered for security," admitted
>> +Valentine, who since 1998 has headed Microsoft's Windows division.
>> +
>> ...
>> +"It's impossible to solve the problem completely," Valentine said.
>> +"As we solve these problems there are hackers who are going to
>> +come up with new ones. There's no end to this."

>> It looks like the folks at Microsoft are discovering something
>> that has been known for decades...

>The link given above is now dead and gives the following message:

>|This CW360 page is currently unavailable
>|
>|We apologise for any inconvenience.
>|
>|Please try again later.

The reason for the above is that it's been slashdotted
http://www.veryComputer.com/

Almost the same article, with some added MS FUD is at infoworld
"Lead Windows developer bugged by security"
( Should it not be titled "Many Windows users *ed by security"? )
http://www.veryComputer.com/
Which includes the MS BS
+It is not only Microsoft that is to blame for the creation of
+faulty software, said Chandra Mugunda, a software consultant with
+Dell Computer in Round Rock, Texas, who attended Valentine's
+presentation here.
+
+"It's an industry-wide problem, it's not just a Microsoft
+problem," he said. "But they're the leaders, and they should take
+the lead to solve these problems"
+
+Valentine, too, took the opportunity to point out the widespread
+bugs that have been discovered in competing operating products
+such as Linux and Unix.
+
+"Every operating system out there is about equal in the number of
+vulnerabilities reported," he said. "We all suck."

That last statement of Valentine's fails to take into
consideration that in most cases Unix, open source and free
licensed software has been designed from the outset
with at least the issue of security in mind.
http://www.veryComputer.com/,3959,1866,00.asp

Whereas, some Microsoft systems such as their embedded scripting
systems have not.
http://www.veryComputer.com/
http://www.veryComputer.com/

The result is that is far easier to exploit an easy, scriptable
vulnerability in a Microsoft system, that has no patch for months,
than to exploit a difficult hole in a Linux/BSD system, that
requires a binary code injection and in almost all cases has a patch
avaliable within days that closes the hole entirely.

- Show quoted text -

Quote:

>However, going up to the root address <http://www.veryComputer.com/> lets you
>access the story anyway, but with an absolutely monstrous session
>generated link if you were to try to quote it...

>noticed that they've got a big special on Linux under the heading "Linux
>Means Business"... lots of good articles in there to quote from aginst
>the FUD that's being spread in here by the winvocates...

><http://www.veryComputer.com/;

>> The First Law of IT Security.
>>  Security is not an addon, it has to be a fundamental property
>>  of the system and the applications, both in the implimentation
>>  and the design.

>> Listen to Dr. Blaine Burnham, Director, Georgia Tech Information
>> Security Center (GTISC) and previously with the National Security
>> Agency (NSA) ...
>> http://www.veryComputer.com/

>> David Mohring - Hint - http://www.veryComputer.com/

>--
>Paul Cooke
>  Registered Linux user 273897 Machine registration number 156819
>  Linux Counter: Home Page = http://www.veryComputer.com/

David Mohring - Linux,open source and free licensed-To Securely Serve.
 
 
 

Duh - Microsoft: "Our products aren't engineered for security"

Post by David Mohri » Sat, 07 Sep 2002 20:45:22




>> Microsoft: 'Our products aren't engineered for security'
>> CW360.com Sep 6 2002 4:16AM ET...
>> http://c.moreover.com/click/here.pl?r46677969

>B-)

>B-b-b-b-b-but NT has class C certification!

Ask the question.

Who was Ed Curry?

http://www.angelfire.com/nj2/edcurry/edcurry.html

David Mohring - Vindication

 
 
 

Duh - Microsoft: "Our products aren't engineered for security"

Post by rapska » Sat, 07 Sep 2002 21:08:08


Error Log for Fri, 06 Sep 2002 18:45:22 +0000: segfault in module "David
Mohring" - dump details are as follows...





>>> Microsoft: 'Our products aren't engineered for security' CW360.com Sep 6
>>> 2002 4:16AM ET...
>>> http://c.moreover.com/click/here.pl?r46677969

>>B-)

>>B-b-b-b-b-but NT has class C certification!

> Ask the question.

> Who was Ed Curry?

> http://www.angelfire.com/nj2/edcurry/edcurry.html

> David Mohring - Vindication

Better question...

WHERE is Ed curry?

--
rapskat -   3:00pm  up  7:36,  0 users,  load average: 0.33, 0.12, 0.16
82 processes: 78 sleeping, 3 running, 1 zombie, 0 stopped
CPU states:  4.3% user,  1.4% system,  0.0% nice, 94.2% idle
drop the hot to mail me

Speak against M$ and turn up missing...

 
 
 

Duh - Microsoft: "Our products aren't engineered for security"

Post by Roy Cull » Sat, 07 Sep 2002 20:51:02




Quote:> Microsoft: 'Our products aren't engineered for security'
> CW360.com Sep 6 2002 4:16AM ET...
> http://www.veryComputer.com/
> +
> +Friday 6 September 2002
> +Brian Valentine, senior vice-president in charge of Microsoft's
> +Windows development, has made a grim admission to the Microsoft
> +Windows Server .net developer conference in Seattle, USA.
> +
> +"I'm not proud," he told delegates yesterday (5 September). "We
> +really haven't done everything we could to protect our customers.
> +Our products just aren't engineered for security," admitted
> +Valentine, who since 1998 has headed Microsoft's Windows division.
> +
> ...
> +"It's impossible to solve the problem completely," Valentine said.
> +"As we solve these problems there are hackers who are going to
> +come up with new ones. There's no end to this."

> It looks like the folks at Microsoft are discovering something
> that has been known for decades...

> The First Law of IT Security.
>  Security is not an addon, it has to be a fundamental property
>  of the system and the applications, both in the implimentation
>  and the design.

Unix wasn't designed with security in mind when it was first
developed.  Unix was designed though. Along with that the KISS
philosophy has made it relatively easy to add security to Unix later.

It is not necessary to see MS's code to know that it is an
unmaintainable humongous mess. The past record only shows it going
from bad to worse.  Even MS realise that a total redesign is their
only long term chance.  Will people continue to pay for their existing
*every year for the next 5 years. I don't think so.

 
 
 

Duh - Microsoft: "Our products aren't engineered for security"

Post by jaso » Sat, 07 Sep 2002 21:05:36


In order to obtain enlightenment,
r's koan is Re: Duh - Microsoft: "Our products aren't engineered for security"

> Error Log for Fri, 06 Sep 2002 18:45:22 +0000: segfault in module "David
> Mohring" - dump details are as follows...





>>>> Microsoft: 'Our products aren't engineered for security' CW360.com Sep 6
>>>> 2002 4:16AM ET...
>>>> http://c.moreover.com/click/here.pl?r46677969

>>>B-)

>>>B-b-b-b-b-but NT has class C certification!

>> Ask the question.

>> Who was Ed Curry?

>> http://www.angelfire.com/nj2/edcurry/edcurry.html

>> David Mohring - Vindication

> Better question...

> WHERE is Ed curry?

According to the site, in the ground. Courtesy of MS.

--
Fri Sep  6 01:08:43 ~># fortune
The only really decent thing to do behind a person's back is pat it.

 
 
 

Duh - Microsoft: "Our products aren't engineered for security"

Post by David Mohri » Sat, 07 Sep 2002 21:57:24





>> Microsoft: 'Our products aren't engineered for security'
>> CW360.com Sep 6 2002 4:16AM ET...
>> http://www.veryComputer.com/
>> +
>> +Friday 6 September 2002
>> +Brian Valentine, senior vice-president in charge of Microsoft's
>> +Windows development, has made a grim admission to the Microsoft
>> +Windows Server .net developer conference in Seattle, USA.
>> +
>> +"I'm not proud," he told delegates yesterday (5 September). "We
>> +really haven't done everything we could to protect our customers.
>> +Our products just aren't engineered for security," admitted
>> +Valentine, who since 1998 has headed Microsoft's Windows division.
>> +
>> ...
>> +"It's impossible to solve the problem completely," Valentine said.
>> +"As we solve these problems there are hackers who are going to
>> +come up with new ones. There's no end to this."

>> It looks like the folks at Microsoft are discovering something
>> that has been known for decades...

>> The First Law of IT Security.
>>  Security is not an addon, it has to be a fundamental property
>>  of the system and the applications, both in the implimentation
>>  and the design.

>Unix wasn't designed with security in mind when it was first
>developed.  

The youngsters here forget how old Unix is ...

Research UNIX
-------------
1st Edition     November 3, 1971        [QCU]   QCU= A Quarter Century of UNIX
2nd Edition     June 12, 1972           [QCU]        Peter Salus
3rd Edition     February, 1973          [QCU]        Addison-Wesley
4th Edition     November, 1973          [QCU]        ISBN 0-201-54777-5
5th Edition     June, 1974              [QCU]
6th Edition     May, 1975               [QCU]   LWU= Life With UNIX
7th Edition     January, 1979           [QCU]        Don Libes, Sandy Ressler
8th Edition     February, 1985          [QCU]        Prentice-Hall
9th Edition     September, 1986         [QCU]        ISBN 0-13-536657-7
10th Edition    October, 1989           [QCU]

Quote:>Unix was designed though.

Well, thanks to Caldera/SCO ...
http://www.veryComputer.com/
... if your willing to trudge though the old K&R C source code
http://www.veryComputer.com/
.. you can see the well formed filesystem and memory models still
in use to day.

Quote:>Along with that the KISS
>philosophy has made it relatively easy to add security to Unix later.

True ...
http://www.veryComputer.com/
and the older ...
http://www.veryComputer.com/

Quote:

>It is not necessary to see MS's code to know that it is an
>unmaintainable humongous mess. The past record only shows it going
>from bad to worse.  Even MS realise that a total redesign is their
>only long term chance.  Will people continue to pay for their existing
>*every year for the next 5 years. I don't think so.

Microsoft does not help itself by intoducing totally new API interfaces
on almost a yearly basis. You need to stick with an API for a long
time to iron out all the bugs and vulnerabilities.

David Mohring - X11R6:Network/Binary compatable back to 1986 X11 Clients

 
 
 

Duh - Microsoft: "Our products aren't engineered for security"

Post by Jules Duboi » Sat, 07 Sep 2002 22:10:14




Quote:> Microsoft: 'Our products aren't engineered for security'
> CW360.com Sep 6 2002 4:16AM ET...
> http://c.moreover.com/click/here.pl?r46677969
> [...]
> +Our products just aren't engineered for security," admitted
> +Valentine, who since 1998 has headed Microsoft's Windows division.

They've intimated this in the past, but it's good to see an outright
admission.  For the Windows users, and the non-Windows victims of MS' lack
of security, I hope this is the first of many steps to improve security.  
No more Klez, SQL Server worm, etc., knocking on my door?

Quote:> +"It's impossible to solve the problem completely," Valentine said.
> +"As we solve these problems there are hackers who are going to
> +come up with new ones. There's no end to this."

Security is a ongoing process.

Quote:> It looks like the folks at Microsoft are discovering something
> that has been known for decades...

They aren't discovering it.  They're making public their knowledge of
their lack of it.

--
"Take your spam and shove it.
 It ain't comin' here no more."

 
 
 

Duh - Microsoft: "Our products aren't engineered for security"

Post by Garf » Sat, 07 Sep 2002 22:33:53





>> Microsoft: 'Our products aren't engineered for security'
>> CW360.com Sep 6 2002 4:16AM ET...
>> http://c.moreover.com/click/here.pl?r46677969

> B-)

> B-b-b-b-b-but NT has class C certification!

Have you every read the Security Target for the certification of NT to E3???

Well, it's got sweet caveats like NT should only be used in a stane alone
mode, that is not connected to any network and that the OS is not secure
without the special Security Enhancements...

I'd love to lay my hands on the Security Target for Windows 2000!! :))
--
H&Ks
Garf

 
 
 

Duh - Microsoft: "Our products aren't engineered for security"

Post by GreyClou » Sun, 08 Sep 2002 00:00:03



> On Fri, 06 Sep 2002 18:58:16 +0000,


> >comp.os.linux.advocacy to propose the following:

> >> Microsoft: 'Our products aren't engineered for security'
> >> CW360.com Sep 6 2002 4:16AM ET...
> >> http://www.veryComputer.com/
> >> +
> >> +Friday 6 September 2002
> >> +Brian Valentine, senior vice-president in charge of Microsoft's
> >> +Windows development, has made a grim admission to the Microsoft
> >> +Windows Server .net developer conference in Seattle, USA.
> >> +
> >> +"I'm not proud," he told delegates yesterday (5 September). "We
> >> +really haven't done everything we could to protect our customers.
> >> +Our products just aren't engineered for security," admitted
> >> +Valentine, who since 1998 has headed Microsoft's Windows division.
> >> +
> >> ...
> >> +"It's impossible to solve the problem completely," Valentine said.
> >> +"As we solve these problems there are hackers who are going to
> >> +come up with new ones. There's no end to this."

> >> It looks like the folks at Microsoft are discovering something
> >> that has been known for decades...

> >The link given above is now dead and gives the following message:

> >|This CW360 page is currently unavailable
> >|
> >|We apologise for any inconvenience.
> >|
> >|Please try again later.

> The reason for the above is that it's been slashdotted
> http://www.veryComputer.com/

> Almost the same article, with some added MS FUD is at infoworld
> "Lead Windows developer bugged by security"
> ( Should it not be titled "Many Windows users *ed by security"? )
> http://www.veryComputer.com/
> Which includes the MS BS
> +It is not only Microsoft that is to blame for the creation of
> +faulty software, said Chandra Mugunda, a software consultant with
> +Dell Computer in Round Rock, Texas, who attended Valentine's
> +presentation here.
> +
> +"It's an industry-wide problem, it's not just a Microsoft
> +problem," he said. "But they're the leaders, and they should take
> +the lead to solve these problems"
> +
> +Valentine, too, took the opportunity to point out the widespread
> +bugs that have been discovered in competing operating products
> +such as Linux and Unix.
> +
> +"Every operating system out there is about equal in the number of
> +vulnerabilities reported," he said. "We all suck."

> That last statement of Valentine's fails to take into
> consideration that in most cases Unix, open source and free
> licensed software has been designed from the outset
> with at least the issue of security in mind.
> http://www.veryComputer.com/,3959,1866,00.asp

Looks like Valentine doesn't know much about OpenVMS
either.  I don't see any security problems plagueing OpenVMS
like it does with M$.
 
 
 

Duh - Microsoft: "Our products aren't engineered for security"

Post by Max Burk » Sun, 08 Sep 2002 00:38:37



>>> Microsoft: 'Our products aren't engineered for security'
>>> CW360.com Sep 6 2002 4:16AM ET...
>>> http://c.moreover.com/click/here.pl?r46677969
>>> +Friday 6 September 2002
>>> +Brian Valentine, senior vice-president in charge of Microsoft's
>>> +Windows development, has made a grim admission to the Microsoft
>>> +Windows Server .net developer conference in Seattle, USA.
>>> +
>>> +"I'm not proud," he told delegates yesterday (5 September). "We
>>> +really haven't done everything we could to protect our customers.
>>> +Our products just aren't engineered for security," admitted
>>> +Valentine, who since 1998 has headed Microsoft's Windows division.
> David Mohring - Linux,open source and free licensed-To Securely Serve.

This weeks 15 top security advisories for various *nix distro's.......
http://www.linuxsecurity.com/advisories/index.html

Enjoy.
HTH & GL...   ;-))
--------------------------------------
# ...Because the truth is that open source doesn't cure cancer, doesn't
lead to a global gift economy, and doesn't produce perfect software on
the first, second, or even fifty-seventh try. Hell, I could put together
a laundry list right now of glaring flaws and shortcomings in Linux that
I blame squarely on open source development and developers.
Jason Compton.
http://www.linux-mag.com/online/compton_c01_01.html
--

Replace the obvious with paradise to email me.

See Found Images at :
http://homepages.paradise.net.nz/~mlvburke

 
 
 

Duh - Microsoft: "Our products aren't engineered for security"

Post by Peter K?hlman » Sun, 08 Sep 2002 00:58:04




>>>> Microsoft: 'Our products aren't engineered for security'
>>>> CW360.com Sep 6 2002 4:16AM ET...
>>>> http://c.moreover.com/click/here.pl?r46677969
>>>> +Friday 6 September 2002
>>>> +Brian Valentine, senior vice-president in charge of Microsoft's
>>>> +Windows development, has made a grim admission to the Microsoft
>>>> +Windows Server .net developer conference in Seattle, USA.
>>>> +
>>>> +"I'm not proud," he told delegates yesterday (5 September). "We
>>>> +really haven't done everything we could to protect our customers.
>>>> +Our products just aren't engineered for security," admitted
>>>> +Valentine, who since 1998 has headed Microsoft's Windows division.

>> David Mohring - Linux,open source and free licensed-To Securely Serve.

> This weeks 15 top security advisories for various *nix distro's.......
> http://www.linuxsecurity.com/advisories/index.html

So you still are unable to read. How very unsurprising

Peter
--
Support your local Search and Rescue unit -- get lost.

 
 
 

Duh - Microsoft: "Our products aren't engineered for security"

Post by Matt » Sun, 08 Sep 2002 01:22:59


Quote:> Enjoy.
> HTH & GL...   ;-))
> -------------------------------------- # ...Because the truth is that
> open source doesn't cure cancer, doesn't lead to a global gift economy,
> and doesn't produce perfect software on the first, second, or even
> fifty-seventh try. Hell, I could put together a laundry list right now
> of glaring flaws and shortcomings in Linux that I blame squarely on open
> source development and developers. Jason Compton.

We're waiting.

Matt

 
 
 

1. """"""""My SoundBlast 16 pnp isn't up yet""""""""""""

My machine: P166+mmx, 32mb ram, 4gb HD with Win95 and Win NT 4.0 and
redhat5.1 co-existed in different partitions.

I issued "sndconfig" within a xterm inside X Window, The program
detects the SB 16 pnp card sets it up with no error message, but when
it launch ModProbe to test out, it gets a message states: An error was
encountered running the ModProbe program."  I tried different IRQ
settings, all ends with the same message.

2nd, When I try to mount /dev/cdrom from File Systerm Manager, the
following error is returned:  Can't find /dev/hdb in /etc/mtab or
/etc/fstab.

3nd, When my machine boots, it halts at "Sendmail" for about 3-5 mins
before it goes to next step.  Obviously there isn't any mail system on
the machine right now because it is a standalone.  How can take this
mail thing out and speed up booting?

last one, Is my Zoom 56k PCI FaxModem a Windmodem that Linux can't use
to connect me to my local isp?

Experts help me out please. thanks.

2. Fatal Server error:

3. Microsoft "Outlook" should be named Microsoft "Lookout"

4. Setting up text terminal sessions on a linux box.

5. GETSERVBYNAME()????????????????????"""""""""""""

6. Better FTP clients: NCFTP

7. Gartner slams Pocket PC security - Do I need to a "Duh"?

8. Texas Instruments 16c750

9. rss" and "stack" and "data" in /etc/security/limits file

10. ZDnet "missing" talkback in "The Microsoft penalty that isn't"

11. "P-Shop some unlikely products containing Microsoft Windows"

12. Type "(", ")" and "{", "}" in X...

13. Why doesn't echo "text" 'command' "more text" work?