Fw: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
One word.... HA ! james ----- Original Message ----- From: "Jeremiah Cornelius" <> To: <full-disclosure@lists.netsys.com> Sent: Friday, October 31, 2003 11:32 AM Subject: [Full-Disclosure] Gates: 'You don't need perfect code' for good security : -----BEGIN PGP SIGNED MESSAGE----- : Hash: SHA1 : : FLAME ON! : : http://www.itbusiness.ca/index.asp?theaction=61&sid=53897 : : "But there are two other techniques: one is called firewalling and the other : is called keeping the software up to date. None of these problems (viruses : and worms) happened to people who did either one of those things. If you had : your firewall set up the right way - and when I say firewall I include : scanning e-mail and scanning file transfer -- you wouldn't have had a : problem. But did we have the tools that made that easy and automatic and that : you could really audit that you had done it? No. Microsoft in particular and : the industry in general didn't have it." : : "The second is just the updating thing. Anybody who kept their software up to : date didn't run into any of those problems, because the fixes preceded the : exploit. Now the times between when the vulnerability was published and when : somebody has exploited it, those have been going down, but in every case at : this stage we've had the fix out before the exploit. So next is making it : easy to do the updating, not for general features but just for the very few : critical security things, and then reducing the size of those patches, and : reducing the frequency of the patches, which gets you back to the code : quality issues. We have to bring these things to bear, and the very dramatic : things that we can do in the short term have to do with the firewalls and the : updating infrastructure. " : -----BEGIN PGP SIGNATURE----- : Version: GnuPG v1.2.3 (GNU/Linux) : : iD8DBQE/oqq3Ji2cv3XsiSARAlkdAJ0aGkBViYkoE193iZycTmQZohzwbQCg1KDA : SjPLY1EEzamQCtIGKwJT1Vk= : =mIsY : -----END PGP SIGNATURE----- : : _______________________________________________ : Full-Disclosure - We believe in it. : Charter: http://lists.netsys.com/full-disclosure-charter.html James Edwards Routing and Security Administrator jamesh@cybermesa.com At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=Xns94258238F273Cbruns2mbitcom%40130.133.1.4
From my post to the NANAE newsgroup...
My favorite quote is... BG: Until we had this concept of Web services, software on the Internet couldn't talk to other software on the Internet. The only thing that worked was you could move bits - that's TCP/IP - or you could put up screens - that's HTML - but software couldn't talk to software. Its good to know my Putty application can't talk to my OpenSSH server, or that my EXIM mail server can't actually talk to other mail servers. :-) -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org ----- Original Message ----- From: "james" <hackerwacker@cybermesa.com> To: <nanog@nanog.org> Sent: Friday, October 31, 2003 5:00 PM Subject: Fw: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
One word.... HA !
james ----- Original Message ----- From: "Jeremiah Cornelius" <> To: <full-disclosure@lists.netsys.com> Sent: Friday, October 31, 2003 11:32 AM Subject: [Full-Disclosure] Gates: 'You don't need perfect code' for good
security
: -----BEGIN PGP SIGNED MESSAGE----- : Hash: SHA1 : : FLAME ON! : : http://www.itbusiness.ca/index.asp?theaction=61&sid=53897 : : "But there are two other techniques: one is called firewalling and the
: is called keeping the software up to date. None of these problems (viruses : and worms) happened to people who did either one of those things. If you had : your firewall set up the right way - and when I say firewall I include : scanning e-mail and scanning file transfer -- you wouldn't have had a : problem. But did we have the tools that made that easy and automatic and
: you could really audit that you had done it? No. Microsoft in particular and : the industry in general didn't have it." : : "The second is just the updating thing. Anybody who kept their software up to : date didn't run into any of those problems, because the fixes preceded
other that the
: exploit. Now the times between when the vulnerability was published and when : somebody has exploited it, those have been going down, but in every case at : this stage we've had the fix out before the exploit. So next is making it : easy to do the updating, not for general features but just for the very few : critical security things, and then reducing the size of those patches, and : reducing the frequency of the patches, which gets you back to the code : quality issues. We have to bring these things to bear, and the very dramatic : things that we can do in the short term have to do with the firewalls and the : updating infrastructure. " : -----BEGIN PGP SIGNATURE----- : Version: GnuPG v1.2.3 (GNU/Linux) : : iD8DBQE/oqq3Ji2cv3XsiSARAlkdAJ0aGkBViYkoE193iZycTmQZohzwbQCg1KDA : SjPLY1EEzamQCtIGKwJT1Vk= : =mIsY : -----END PGP SIGNATURE----- : : _______________________________________________ : Full-Disclosure - We believe in it. : Charter: http://lists.netsys.com/full-disclosure-charter.html
James Edwards Routing and Security Administrator jamesh@cybermesa.com At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
You guys missed it, Gates is utterly right. There is no such thing as perfect code. Where he errs is that his code is utter and unremarkable crap based on poorly conceived designs based on a percieved difficulty of use problem. The simple solution was to design it for the average person and then tell anyone who couldn't figure it out to get stuffed. Sadly that didn't happen here, or when dcom came out, or when activex sucked, or when dcom came out again, or every time they release Outlook (Express). On Fri, 31 Oct 2003 17:43:16 -0500 "Brian Bruns" <bruns@2mbit.com> wrote:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=Xns94258238F273Cbruns2mbitcom%40130.133.1.4
From my post to the NANAE newsgroup...
My favorite quote is...
BG: Until we had this concept of Web services, software on the Internet couldn't talk to other software on the Internet. The only thing that worked was you could move bits - that's TCP/IP - or you could put up screens - that's HTML - but software couldn't talk to software.
Its good to know my Putty application can't talk to my OpenSSH server, or that my EXIM mail server can't actually talk to other mail servers.
:-)
-------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org
The AHBL - http://www.ahbl.org ----- Original Message ----- From: "james" <hackerwacker@cybermesa.com> To: <nanog@nanog.org> Sent: Friday, October 31, 2003 5:00 PM Subject: Fw: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
One word.... HA !
james ----- Original Message ----- From: "Jeremiah Cornelius" <> To: <full-disclosure@lists.netsys.com> Sent: Friday, October 31, 2003 11:32 AM Subject: [Full-Disclosure] Gates: 'You don't need perfect code' for good
security
: -----BEGIN PGP SIGNED MESSAGE----- : Hash: SHA1 : : FLAME ON! : : http://www.itbusiness.ca/index.asp?theaction=61&sid=53897 : : "But there are two other techniques: one is called firewalling and the
: is called keeping the software up to date. None of these problems (viruses : and worms) happened to people who did either one of those things. If you had : your firewall set up the right way - and when I say firewall I include : scanning e-mail and scanning file transfer -- you wouldn't have had a : problem. But did we have the tools that made that easy and automatic and
: you could really audit that you had done it? No. Microsoft in particular and : the industry in general didn't have it." : : "The second is just the updating thing. Anybody who kept their software up to : date didn't run into any of those problems, because the fixes preceded
other that the
: exploit. Now the times between when the vulnerability was published and when : somebody has exploited it, those have been going down, but in every case at : this stage we've had the fix out before the exploit. So next is making it : easy to do the updating, not for general features but just for the very few : critical security things, and then reducing the size of those patches, and : reducing the frequency of the patches, which gets you back to the code : quality issues. We have to bring these things to bear, and the very dramatic : things that we can do in the short term have to do with the firewalls and the : updating infrastructure. " : -----BEGIN PGP SIGNATURE----- : Version: GnuPG v1.2.3 (GNU/Linux) : : iD8DBQE/oqq3Ji2cv3XsiSARAlkdAJ0aGkBViYkoE193iZycTmQZohzwbQCg1KDA : SjPLY1EEzamQCtIGKwJT1Vk= : =mIsY : -----END PGP SIGNATURE----- : : _______________________________________________ : Full-Disclosure - We believe in it. : Charter: http://lists.netsys.com/full-disclosure-charter.html
James Edwards Routing and Security Administrator jamesh@cybermesa.com At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
-- Andrew D Kirch | trelane@2mbit.com | Security Admin | Summit Open Source Development Group | www.sosdg.org
On Fri, 2003-10-31 at 18:35, Andrew D Kirch wrote:
You guys missed it, Gates is utterly right. There is no such thing as perfect code.
Hmmm, I think that is a given. Even my ponytail knows that ! Gates just has a talent with spin.
Where he errs is that his code is utter and unremarkable crap based on poorly conceived designs based on a percieved difficulty of use problem. The simple solution was to design it for the average person and then tell anyone who couldn't figure it out to get stuffed. Sadly that didn't happen here, or when dcom came out, or when activex sucked, or when dcom came out again, or every time they release Outlook (Express).
Yep, change the prompt, shoehorn 32 bits onto 8 bits and "we are done here". -- James Edwards Routing and Security jamesh@cybermesa.com At the Santa Fe Office: Internet at Cyber Mesa 505-988-9200 SIP:747-669-1965
If you take all of this together we have Microsoft is going to supply us with code that does not work that will allows programmers who know what they are doing to talk to any windows system in the world. Cool. On Fri, 31 Oct 2003, Andrew D Kirch wrote:
You guys missed it, Gates is utterly right. There is no such thing as perfect code. Where he errs is that his code is utter and unremarkable crap based on poorly conceived designs based on a percieved difficulty of use problem. The simple solution was to design it for the average person and then tell anyone who couldn't figure it out to get stuffed. Sadly that didn't happen here, or when dcom came out, or when activex sucked, or when dcom came out again, or every time they release Outlook (Express).
On Fri, 31 Oct 2003 17:43:16 -0500 "Brian Bruns" <bruns@2mbit.com> wrote:
My favorite quote is...
BG: Until we had this concept of Web services, software on the Internet couldn't talk to other software on the Internet. The only thing that worked was you could move bits - that's TCP/IP - or you could put up screens - that's HTML - but software couldn't talk to software.
Its good to know my Putty application can't talk to my OpenSSH server, or that my EXIM mail server can't actually talk to other mail servers.
:-)
_____ Douglas Denault doug@safeport.com Voice: 301-469-8766 Fax: 301-469-0601
Brian Bruns wrote:
My favorite quote is...
BG: Until we had this concept of Web services, software on the Internet couldn't talk to other software on the Internet. The only thing that worked was you could move bits - that's TCP/IP - or you could put up screens - that's HTML - but software couldn't talk to software. what *is* TCP/IP if it isn't software talking to software?
Dave Howe wrote:
Brian Bruns wrote:
My favorite quote is...
BG: Until we had this concept of Web services, software on the Internet couldn't talk to other software on the Internet. The only thing that worked was you could move bits - that's TCP/IP - or you could put up screens - that's HTML - but software couldn't talk to software. what *is* TCP/IP if it isn't software talking to software?
The rules software talking to softare is supposed to follow?
participants (6)
-
Andrew D Kirch
-
Brian Bruns
-
Dave Howe
-
doug@safeport.com
-
james
-
Laurence F. Sheldon, Jr.