Interessant dazu auch der folgende Beitrag aus der bugtraq Liste:
(die direkten URLs zum download seines Buches hab ich rausgenommen,
damit er nicht gleich "geheist" wird, das Buch kann man über
http://www.forensics.org/ runterladen):
--from Jason Coombs <jasonc[at]science[dot]org>--
I wrote an information security book last year under contract with
Microsoft Press. The book was never published -- among other things
it explains truthfully the poor security condition of Windows and
offers detailed instructions and advice for defending against
Microsoft's bad business practices and incorrect security decisions.
URLs for the free electronic book are:
(PDF)
(Raw Text/PNG Graphics --> safer!)
The security awareness for Windows communicated by my book would have
enabled people to avoid intrusions, infections, damage, and down time
from MS Blaster, SQL Slammer/Sapphire, and many of this year's other
threats. It would also have helped to educate developers of Web
applications so that fewer new vulnerabilities would have been
created.
A few of the specific warnings provided by my book include:
* FrontPage Server Extensions are badly flawed from a security
perspective and should never be used.
* Ports open by default (RPC/DCOM/SMB/Messenger/Workstation
Service/etc) will be found to expose remote exploitable buffer
overflow vulnerabilities and therefore must be protected and closed
at all costs.
* Don't use/rely on Microsoft Baseline Security Analyzer because it
intentionally ignores known vulnerabilities in order to more often
report a happy "you're all patched" message to the admin.
* Internet Information Services cannot be trusted out of the box but
instead must be carefully security hardened beyond anything that
Microsoft normally recommends, and many IIS features must be disabled
in order to achieve a trustworthy subset of Microsoft software.
* ... more ...
If Microsoft intends to launch a PR/advertising campaign against
Linux, perhaps it would take a moment out of its busy schedule to
explain why it won't publish a book that tells the truth and provides
warnings in advance that the only way to safely operate a Windows
computer is to subscribe to infosec mailing lists such as bugtraq and
full-disclosure in order to remain constantly aware of the real-world
condition and capabilities of attackers?
Microsoft suppresses awareness of vulnerabilities in order to profit.
The only way to achieve security in computing is through awareness.
Therefore, Microsoft's profits cause additional insecurity. Go
figure.
Sincerely,
Jason Coombs
(die direkten URLs zum download seines Buches hab ich rausgenommen,
damit er nicht gleich "geheist" wird, das Buch kann man über
http://www.forensics.org/ runterladen):
--from Jason Coombs <jasonc[at]science[dot]org>--
I wrote an information security book last year under contract with
Microsoft Press. The book was never published -- among other things
it explains truthfully the poor security condition of Windows and
offers detailed instructions and advice for defending against
Microsoft's bad business practices and incorrect security decisions.
URLs for the free electronic book are:
(PDF)
(Raw Text/PNG Graphics --> safer!)
The security awareness for Windows communicated by my book would have
enabled people to avoid intrusions, infections, damage, and down time
from MS Blaster, SQL Slammer/Sapphire, and many of this year's other
threats. It would also have helped to educate developers of Web
applications so that fewer new vulnerabilities would have been
created.
A few of the specific warnings provided by my book include:
* FrontPage Server Extensions are badly flawed from a security
perspective and should never be used.
* Ports open by default (RPC/DCOM/SMB/Messenger/Workstation
Service/etc) will be found to expose remote exploitable buffer
overflow vulnerabilities and therefore must be protected and closed
at all costs.
* Don't use/rely on Microsoft Baseline Security Analyzer because it
intentionally ignores known vulnerabilities in order to more often
report a happy "you're all patched" message to the admin.
* Internet Information Services cannot be trusted out of the box but
instead must be carefully security hardened beyond anything that
Microsoft normally recommends, and many IIS features must be disabled
in order to achieve a trustworthy subset of Microsoft software.
* ... more ...
If Microsoft intends to launch a PR/advertising campaign against
Linux, perhaps it would take a moment out of its busy schedule to
explain why it won't publish a book that tells the truth and provides
warnings in advance that the only way to safely operate a Windows
computer is to subscribe to infosec mailing lists such as bugtraq and
full-disclosure in order to remain constantly aware of the real-world
condition and capabilities of attackers?
Microsoft suppresses awareness of vulnerabilities in order to profit.
The only way to achieve security in computing is through awareness.
Therefore, Microsoft's profits cause additional insecurity. Go
figure.
Sincerely,
Jason Coombs