Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Your Opinion

from [Neale Green] Network Security [Permanent Link]
Subject: RE: Your Opinion
Date: Wed, 21 Mar 2007 15:30:14 Australia/NSW 

FWIW,

My concerns in regard to this do not relate to the fact that Microsoft is 
selling products to address security issues in its other products, they, 
like all other major players, are in business for the revenue, if people 
are prepared to pay for their products they will, if not they'll go 
elsewhere for their security solutions, commercial or otherwise.

My concerns relate more to the long standing and excessively common 
practice in Microsoft solutions to grant additional (and in regard to 
Security issues, excessive) accesses to it's products and/or sites to 
enhance the apparent performance of its products, against other products, 
AND that most of these additional accesses are "below the covers", so 
they are difficult to collate details for, and/or to block/control them.

Developers have/will always (in my experience) emply any mechanisms to 
simplify processes and enhance performance, in MANY instances the risk to 
the security and integrity of the environment in which it's deployed is 
considerably increased by these practices, all the more so when it is 
covered up my the operating system processes.

FWIW, this is just the opinion of a long standing security person, who's 
been fgighting many vendors for a long time on these issues, not just 
Microsoft.

Neale Green 


I have heard the comment "It's a huge conflict of interest" for one
company to provide both an operating platform and a security platform"
made by John Thompson (CEO Symantec) many times from many different
people.  See article below.

http://www2.csoonline.com/blog_view.html?CID=32554

In my personal opinion, regardless of the vendor, if they create an OS,
why would it be a conflict of interest for them to want to protect their
own OS from attack.  One would assume that this is a responsible
approach by the vendor, but one could also argue that their OS should be
coded securely in the first place.  If this were to happen then the need
for the Symantec's, McAfee's of the world would some what diminsh.

Anyway I am just curious as to what other people think.

Thanks in advance

Mark 


All mail to and from this domain is GFI-scanned.


.....


All mail to and from this domain is GFI-scanned.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Your Opinion, jay.tomas
Next by Date:  [Full-disclosure] iDefense Security Advisory 03.23.07: DataRescue IDA Pro Remote Debugger Server Authentication Bypass Vulnerability, iDefense Labs
Previous by Thread:  RE: Your Opinion, Jim Harrison
Next by Thread:  [Full-disclosure] Call For Papers - IT Underground Dublin, Marcin Tkaczyk
Indexes:  [Date] [Thread] [Top] [All Lists]