Micro$oft exec says all os's insecure ... forgets about VMS!

Micro$oft exec says all os's insecure ... forgets about VMS!

Post by Bob Ceculs » Sun, 08 Sep 2002 22:51:24



he got it right except for the last line ... VMS doesn't have these
problems!

 Lead Windows developer bugged by security

By Matt Berger
September 5, 2002 1:46 pm PT

 SEATTLE -- BRIAN Valentine says he's not proud.

The senior vice president in charge of Microsoft's Windows development
team has reason not to be. One of his most notable works, the Windows
2000 operating system, has a security record that is nothing to boast
about. In fact, it's downright dismal, many experts say.

Security bulletins warning of holes and vulnerabilities in Microsoft
operating systems are a regular occurrence. Late Wednesday, the
company released a bulletin warning of a flaw in its digital
certificate technology that could allow attackers to steal a user's
credit card information. It is the second security bulletin to be
issued this month.

In August, Microsoft warned in one of eight security bulletins issued
that month, that many of its customers have experienced "an increased
amount of hacking," in their various Windows systems. The Redmond,
Wash., company has yet to identify the root of the problem, only
saying that it has noticed some major similarities between the string
of hack attacks.

"As of August 2002, the PSS [Product Support Services] Security Team
has not been able to determine the technique that is being used to
gain access to the computer," the company wrote in its security
bulletin posted on August 30.

In short, Microsoft is stumped.

It is a case in point of the problems that the company is currently
facing as it struggles to release more secure code around its new
generation of .Net software and win redemption from customers who have
been burned by buggy products. Its latest attempt to fight the problem
is embodied in a company-wide effort called the Trustworthy Computing
Initiative. As that effort lumbers to show results, the company is
filling in the gaps with apologies.

"I'm not proud," Valentine said, as he spoke to a crowd of developers
here at the company's Windows .Net Server developer conference. "We
really haven't done everything we could to protect our customers ...
Our products just aren't engineered for security."

The Windows 2000 operating system has been pummeled by continual
security holes, some so widespread that they have resulted in major
damage to computer systems around the world. Most notable are the Code
Red and Nimda worms, which exploit a vulnerability in the operating
system.

Customers seem to agree that Microsoft's spotty record with security
has been a detriment to their own development of computer systems. One
Windows systems consultant here, who wished to remain anonymous, said
that security issues with Microsoft's IIS (Internet information
Server) Web server have left a bad taste in many customers' mouths.

"Some of the customers I've worked with simply won't use IIS," the
systems consultant said. "That's bad for us. We're losing business
because of it."

Microsoft's Trustworthy Computing Initiative, which was launched with
a memo from Bill Gates, Microsoft's chairman and chief software
architect, has become the blanket program that resulted from
Microsoft's revelations. With the launch of the initiative, Microsoft
halted production on new code in all of its products and charged
employees with scanning through every line of existing code in search
of vulnerabilities.

"We realized that we couldn't continue with the way we were building
software and expect to deliver secure products," Valentine said.

But the company is dealing with a problem that isn't going away
anytime soon. Valentine noted here that as the company works to shore
up its products, the security dilemma will evolve with more
sophisticated hackers.

"It's impossible to solve the problem completely," Valentine said. "As
we solve these problems there are hackers who are going to come up
with new ones.

"There's no end to this," he said.

During Microsoft's early years, security didn't drive the way the
company built its software, said Michael Cherry, lead systems analyst
at independent research company Directions on Microsoft.

"If you go back a few years, unless you were working on login at
Microsoft, you really didn't worry about security. The risk wasn't
worth the effort," Cherry said.

One reason is because many of the early hackers who drilled into
Windows didn't disrupt business with their hack attacks, Valentine
noted. Rather they were just out for glory. But in the past year, many
of the hacks launched against Microsoft software, most notably the
Code Red and Nimda worms, have been malicious, going after business
processes, and in many cases shutting those processes down.

"They went from glory hackers to what I call digital terrorists,"
Valentine said.

Microsoft has also been employing new tools developed by Microsoft
Research that are designed to detect errors in code during the
development process, Valentine said.

Adam Kolawa, CEO of ParaSoft, a company that makes error-prevention
tools used by IBM, said Microsoft has long ignored the problem of
fixing code when it is being produced. "Microsoft is paying a lip
service to this problem," Kolawa said.

It is not only Microsoft that is to blame for the creation of faulty
software, said Chandra Mugunda, a software consultant with Dell
Computer in Round Rock, Texas, who attended Valentine's presentation
here.

"It's an industry-wide problem, it's not just a Microsoft problem," he
said. "But they're the leaders, and they should take the lead to solve
these problems"

Valentine, too, took the opportunity to point out the widespread bugs
that have been discovered in competing operating products such as
Linux and Unix.

"Every operating system out there is about equal in the number of
vulnerabilities reported," he said. "We all suck."

 
 
 

Micro$oft exec says all os's insecure ... forgets about VMS!

Post by Neil Joseph Scull » Mon, 09 Sep 2002 00:21:14



Quote:> he got it right except for the last line ... VMS doesn't have these
> problems!

VMS is security through obscurity just like Windows.  His point is that all
operating systems have the same number of bugs and security problems, which
is correct.  The problems with MS software is that they aren't fixed quickly
or at all sometimes.  In Linux or BSD, where there is always active
development, bugs are often fixed within hours so they never become a
problem.  With VMS, the security model is just the same as Windows.  If VMS
were popular enough to be worth crackers' time, it would fail just as
quickly.
-N

 
 
 

Micro$oft exec says all os's insecure ... forgets about VMS!

Post by Michael Heimin » Mon, 09 Sep 2002 03:46:49



Quote:> he got it right except for the last line ... VMS doesn't have
> these problems!

>  Lead Windows developer bugged by security

> By Matt Berger
> September 5, 2002 1:46 pm PT

>  SEATTLE -- BRIAN Valentine says he's not proud.

[SNIP]

In short, the usual M$ crap. What has this to do with cols?

Michael Heiming
--
Remove the +SIGNS case mail bounces.

 
 
 

Micro$oft exec says all os's insecure ... forgets about VMS!

Post by Kasper Dupon » Mon, 09 Sep 2002 04:38:48



[blah blah blah]

Hi again Bob

Why don't you instead tell us about the progress with
your project to improve Linux security by rewriting
the entire kernel in a language nobody knows??

Oh, no progress? Then go back and work on it instead
of bothering us.

--
Kasper Dupont -- der bruger for meget tid p? usenet.


 
 
 

Micro$oft exec says all os's insecure ... forgets about VMS!

Post by Christopher Brown » Mon, 09 Sep 2002 05:13:41




> [blah blah blah]
> Hi again Bob

> Why don't you instead tell us about the progress with
> your project to improve Linux security by rewriting
> the entire kernel in a language nobody knows??

> Oh, no progress? Then go back and work on it instead
> of bothering us.

I'm sure there are some retired VMS hackers that know BLISS.  

It's just that I don't think there's a BLISS compiler that would be
useful for the purpose.

The Retromuseum <http://www.pdc.kth.se/~jas/retro/retromuseum.html>
apparently has parts of a Bliss-to-C compiler; it's not presently
functioning...

Someone should write a kernel using MUMPS; no viruses there! :-)
--

http://cbbrowne.com/info/emacs.html
"I have  traveled the  length and breadth  of this country  and talked
with the best people, and can assure you that data processing is a fad
that won't  last out  the year".  --  Business books  editor, Prentice
Hall 1957

 
 
 

Micro$oft exec says all os's insecure ... forgets about VMS!

Post by miker » Mon, 09 Sep 2002 05:22:16



Quote:> he got it right except for the last line ... VMS doesn't have these
> problems!

Back in college, we had a VAX/VMS machine for the comp sci dept.  One of my
buddies, straight out of high school, had to go visit the sysadmin on a
regular basis to let him know of the latest security flaw he'd found.  He
probably could have taken that system down any time he wanted, but had more
common sense than to waste his time on something with no reward.

I have another friend that designed his own OS in 68k asm with full gui,
etc.  Using the VMS argument, it is the most secure system on the planet,
it's never been hacked.... then again, it doesn't really have a user base,
so it's never been tested.

 
 
 

Micro$oft exec says all os's insecure ... forgets about VMS!

Post by Luke Voge » Mon, 09 Sep 2002 09:07:53


Shit, I just cleaned up my Kill file ...

Now we start again.

Please dont feed this troll.
--
Regards
Luke
------
Q:  What does FAQ stand for?
A:  We are Frequently Asked this Question, and we have no idea.
------
C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html
------

 
 
 

Micro$oft exec says all os's insecure ... forgets about VMS!

Post by Kasper Dupon » Mon, 09 Sep 2002 19:55:51




> Shit, I just cleaned up my Kill file ...

LOL. You need a kill file with expiry date,
and give the guy a longer expiry every time
this happens.

Quote:

> Now we start again.

Do we?

Quote:

> Please dont feed this troll.

I'm not going to do. Whatever Bob Troll
Ceculski is going to write, I'm going to
give hime essentially the same answer:

--
Kasper Dupont -- der bruger for meget tid p? usenet.


 
 
 

Micro$oft exec says all os's insecure ... forgets about VMS!

Post by Bob Ceculs » Mon, 09 Sep 2002 21:20:25





> > he got it right except for the last line ... VMS doesn't have these
> > problems!
> Back in college, we had a VAX/VMS machine for the comp sci dept.  One of my
> buddies, straight out of high school, had to go visit the sysadmin on a
> regular basis to let him know of the latest security flaw he'd found.  He
> probably could have taken that system down any time he wanted, but had more
> common sense than to waste his time on something with no reward.

> I have another friend that designed his own OS in 68k asm with full gui,
> etc.  Using the VMS argument, it is the most secure system on the planet,
> it's never been hacked.... then again, it doesn't really have a user base,
> so it's never been tested.

again you revert back 15-20 years to a few vax/vms bugs that have been
taken care of years ago ... were now on Alpha VMS 7.3-1, soon to be
Itanium OpenVMS ... go check the certs for the last ten years for VMS
and every other major OS then come back and talk about VMS security ...
 
 
 

Micro$oft exec says all os's insecure ... forgets about VMS!

Post by Bob Ceculs » Mon, 09 Sep 2002 21:26:53





> > he got it right except for the last line ... VMS doesn't have these
> > problems!

> VMS is security through obscurity just like Windows.  His point is that all
> operating systems have the same number of bugs and security problems, which
> is correct.  The problems with MS software is that they aren't fixed quickly
> or at all sometimes.  In Linux or BSD, where there is always active
> development, bugs are often fixed within hours so they never become a
> problem.  With VMS, the security model is just the same as Windows.  If VMS
> were popular enough to be worth crackers' time, it would fail just as
> quickly.
> -N

wrong, VMS is security thru security ... and the windows model is
nothing like vms ... and if you would go back and check certs for
the last ten years for vms and every other major os, you would see
that this execs statement and yours is untrue ...
 
 
 

Micro$oft exec says all os's insecure ... forgets about VMS!

Post by Tim Hayne » Mon, 09 Sep 2002 21:26:08





>> Shit, I just cleaned up my Kill file ...

> LOL. You need a kill file with expiry date, and give the guy a longer
> expiry every time this happens.

No no, expiring adaptive scoring, please! ;)

>> Please dont feed this troll.

> I'm not going to do. Whatever Bob Troll Ceculski is going to write, I'm
> going to give hime essentially the same answer:


Much as I hate to say it, after the last fortnight's worth of racist utter
*wits running rampant on this group, a troll we know and hate is an
improvement - at least I know what I'm killfiling ;p)

~Tim
--

The apple must fall to the ground           |http://www.veryComputer.com/

 
 
 

Micro$oft exec says all os's insecure ... forgets about VMS!

Post by Neil Joseph Scull » Tue, 10 Sep 2002 07:47:34


Quote:> wrong, VMS is security thru security ... and the windows model is
> nothing like vms ... and if you would go back and check certs for
> the last ten years for vms and every other major os, you would see
> that this execs statement and yours is untrue ...

Unless you mean to tell me that there have been no bugs in VMS over the last
10 years, re-evaluate what you just said to me and what I said.  VMS has had
bugs and probably comparable numbers to any other OS given proper attention
to usage statistics.  The number of bugs found in VMS relative to its
installed base is not from what I can gather any different from the number
of bugs in any OS compared to its user base.

My statement was a testement to the open-source, constant development, OSs
out there who fix bugs pretty much regardless of severity really quickly.
MS certainly doesn't do the same.  VMS specifically is difficult to break
for even an experienced cracker because there is little information about
the various exploits that have been found available - that information is
kept hush hush like any closed source OS.  Rather, VMS gives you a fix and
says fix it and you're left to assume the bug, whatever it was, was fixed.
That is by definition security by obscurity.

Security through obscurity is easy to disguise as security through security
when no one uses it.
-N

 
 
 

Micro$oft exec says all os's insecure ... forgets about VMS!

Post by Nico Kadel-Garci » Tue, 10 Sep 2002 14:21:19




Quote:> > wrong, VMS is security thru security ... and the windows model is
> > nothing like vms ... and if you would go back and check certs for
> > the last ten years for vms and every other major os, you would see
> > that this execs statement and yours is untrue ...

> Unless you mean to tell me that there have been no bugs in VMS over the
last
> 10 years, re-evaluate what you just said to me and what I said.  VMS has
had
> bugs and probably comparable numbers to any other OS given proper
attention
> to usage statistics.  The number of bugs found in VMS relative to its
> installed base is not from what I can gather any different from the number
> of bugs in any OS compared to its user base.

Apples and Oranges. VMS has a small userbase, and an even smaller developer
base, for a very limited set of uses and its oritinal core is quite mature,
stable, and proprietary, preventing people from doing really stupid things
to it. It is of course useless to modern developers for these same reasons.

While Linux has lots of bugs, they tend to be smaller and more easily
addressed due to the widely varied source base and incredibly varied
developer base. Evolution in action.

Microsoft, on the other hand, focuses on adding "features" for commercial
use rather than fixing things. The results include the incredible piece of
propriatary hackery called "Plug N' Pray", which Linux actually does much
better by following the damn spec, and that evolution of Novell's work
called SMB, which Linux actually does better with Samba.

 
 
 

Micro$oft exec says all os's insecure ... forgets about VMS!

Post by Bob Ceculs » Tue, 10 Sep 2002 21:57:40





> > > wrong, VMS is security thru security ... and the windows model is
> > > nothing like vms ... and if you would go back and check certs for
> > > the last ten years for vms and every other major os, you would see
> > > that this execs statement and yours is untrue ...

> > Unless you mean to tell me that there have been no bugs in VMS over the
>  last
> > 10 years, re-evaluate what you just said to me and what I said.  VMS has
>  had
> > bugs and probably comparable numbers to any other OS given proper
>  attention
> > to usage statistics.  The number of bugs found in VMS relative to its
> > installed base is not from what I can gather any different from the number
> > of bugs in any OS compared to its user base.

> Apples and Oranges. VMS has a small userbase, and an even smaller developer
> base, for a very limited set of uses and its oritinal core is quite mature,
> stable, and proprietary, preventing people from doing really stupid things
> to it. It is of course useless to modern developers for these same reasons.

so we are supposed to use this so-called modern platform and get
hacked and blue-screened and rebooted to death?  You can't run a
business like that!  And VMS is not useless, unless modern developers
like to write garbage code on a garbage platform ... you make no sense!
 
 
 

Micro$oft exec says all os's insecure ... forgets about VMS!

Post by Bob Ceculs » Tue, 10 Sep 2002 22:02:45



Quote:> > wrong, VMS is security thru security ... and the windows model is
> > nothing like vms ... and if you would go back and check certs for
> > the last ten years for vms and every other major os, you would see
> > that this execs statement and yours is untrue ...

> Unless you mean to tell me that there have been no bugs in VMS over the last
> 10 years, re-evaluate what you just said to me and what I said.  VMS has had
> bugs and probably comparable numbers to any other OS given proper attention
> to usage statistics.  The number of bugs found in VMS relative to its
> installed base is not from what I can gather any different from the number
> of bugs in any OS compared to its user base.

> My statement was a testement to the open-source, constant development, OSs
> out there who fix bugs pretty much regardless of severity really quickly.
> MS certainly doesn't do the same.  VMS specifically is difficult to break
> for even an experienced cracker because there is little information about
> the various exploits that have been found available - that information is
> kept hush hush like any closed source OS.  Rather, VMS gives you a fix and
> says fix it and you're left to assume the bug, whatever it was, was fixed.
> That is by definition security by obscurity.

> Security through obscurity is easy to disguise as security through security
> when no one uses it.
> -N

wrong again!  There has been two certs in the last ten years, one
being a decwindows minor issue, nothing that would relate to the net.
As a matter of fact, most certs for ip issues do not affect vms, like
the last snmp one, vms just gave an "access violation" error ...
and if you want to prove it to yourself, go look up the patches for
vms, I patch occasionally as need and there has not been a security
issue since the decwindows patch, most are device driver related ...
your opinion is not backed by the evidence!