...der sich mit sowas auskennt.
Grüsse,
Der Franzose
Dazu heute ein Zitat aus der Liste Full-Disclosure, das mir sehr gut
gefallen hat, da es deutlich Schwächen in Microsofts Grundverständnis
zum Thema Sicherheit offenbart:
Sujet: [Full-Disclosure] MS Security Response is a bunch of
half-witted morons
De: "Nick FitzGerald" <nick@virus-l.demon.co.uk>
Date: Fr, 12.03.2004, 02:57
Try to read Microsoft's latest security epistles:
http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-010.mspx
with a browser that does not have JavaScript enabled...
(And yes, they have retrofitted this "improvement" to _all_ previous
security bulletins...)
Earth to MSRP:
1. Your job is to improve security.
2. Two years ago Billy Boy charged the whole of the company to
straighten up its act as regards security.
3. MS Security Bulletins were "improved" about 24-30 months ago by a
web design team that clearly does not have an ounce of security
smarts among its entire membership. That "improvement" (_purely_
aesthetic, and highly debatable anyway) made the bulletins unreadable
in IE unless you are prepared to trust MS and its web presence
providers (I'm not for various reasons -- the company as whole is
just far too large and "attractive" a target; there have been some
very bad whoops-es with Akamai and the Nimda virus; etc). Anyway,
that "improvement" was the final straw that moved me to using Mozilla
as my browser of choice, as it rendered that "improved" form of your
pages fine, _and_ with scripting and the like disabled.
4. Now the Security Bulletins have been "improved" even further,
turning the detail expansion links into frelling javascript links.
What in the blue blazes is between the ears of your web development
folk? Have they forgotten that the venerable HREF tag can work
without scripting, ActiveX and all manner of other popular but
unnecessary cr*p that web designers can't seem to ignore? When it
comes to security bulletins, f*ck art -- give me _readable content_.
Sheeeesh!!!
A few weeks back some online magazine editor was asking for clear,
reasoned arguments that "Microsoft just doesn't get security".
Arguments be damned -- if you have two security clues you only have
to look at MS' own security web pages to _see_ that "Microsoft just
doesn't get security".
TCI is clearly a media and PR circus.
(In case the magazine editor and his conspirator still do not get the
point of the above, Microsoft has no business dictating _my_ or
_anyone else's_ security policies. This is as fundamental an aspect
of security as there is. Posting its security bulletins in a format
that requires their readers to set their browsers to a configuration
that is acknowledged to be _severely security lowering_, while
maintaining that it is doing everything possible to improve the
security of its products, is the height of hypocrisy and clearly
makes a lie of its public proclamations that it is working to further
improve security.)
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Grüsse,
Der Franzose
Dazu heute ein Zitat aus der Liste Full-Disclosure, das mir sehr gut
gefallen hat, da es deutlich Schwächen in Microsofts Grundverständnis
zum Thema Sicherheit offenbart:
Sujet: [Full-Disclosure] MS Security Response is a bunch of
half-witted morons
De: "Nick FitzGerald" <nick@virus-l.demon.co.uk>
Date: Fr, 12.03.2004, 02:57
Try to read Microsoft's latest security epistles:
http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-010.mspx
with a browser that does not have JavaScript enabled...
(And yes, they have retrofitted this "improvement" to _all_ previous
security bulletins...)
Earth to MSRP:
1. Your job is to improve security.
2. Two years ago Billy Boy charged the whole of the company to
straighten up its act as regards security.
3. MS Security Bulletins were "improved" about 24-30 months ago by a
web design team that clearly does not have an ounce of security
smarts among its entire membership. That "improvement" (_purely_
aesthetic, and highly debatable anyway) made the bulletins unreadable
in IE unless you are prepared to trust MS and its web presence
providers (I'm not for various reasons -- the company as whole is
just far too large and "attractive" a target; there have been some
very bad whoops-es with Akamai and the Nimda virus; etc). Anyway,
that "improvement" was the final straw that moved me to using Mozilla
as my browser of choice, as it rendered that "improved" form of your
pages fine, _and_ with scripting and the like disabled.
4. Now the Security Bulletins have been "improved" even further,
turning the detail expansion links into frelling javascript links.
What in the blue blazes is between the ears of your web development
folk? Have they forgotten that the venerable HREF tag can work
without scripting, ActiveX and all manner of other popular but
unnecessary cr*p that web designers can't seem to ignore? When it
comes to security bulletins, f*ck art -- give me _readable content_.
Sheeeesh!!!
A few weeks back some online magazine editor was asking for clear,
reasoned arguments that "Microsoft just doesn't get security".
Arguments be damned -- if you have two security clues you only have
to look at MS' own security web pages to _see_ that "Microsoft just
doesn't get security".
TCI is clearly a media and PR circus.
(In case the magazine editor and his conspirator still do not get the
point of the above, Microsoft has no business dictating _my_ or
_anyone else's_ security policies. This is as fundamental an aspect
of security as there is. Posting its security bulletins in a format
that requires their readers to set their browsers to a configuration
that is acknowledged to be _severely security lowering_, while
maintaining that it is doing everything possible to improve the
security of its products, is the height of hypocrisy and clearly
makes a lie of its public proclamations that it is working to further
improve security.)
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html