Re: [SC-L] Any software security news from the RSA conference?
Any software change is bound to inconvenience sombody. With Microsoft, I find the problem is not that they make changes but that they make changes WITHOUT properly announcing them. For example, if they do make a change and announce it at some conference, that gets the message to some small percentage of the people who NEED to get the message. Grandma and her e-mail client and pictures of her grandkids is totally clueless and possibly hostile towards detailed change information. I'm not grandma. I take pride in knowing what is going on and can do so if only I am enabled to do so. Mark Rockman, B.S., MCP - Original Message - From: "Alun Jones" <[EMAIL PROTECTED]> To: "'ljknews'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, February 27, 2004 18:58 Subject: RE: [SC-L] Any software security news from the RSA conference? > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of ljknews > > Sent: Friday, February 27, 2004 9:51 AM > > > > You must be thinking of a different Bill Gates than the one familiar > > to me. I am thinking of the one who announced a few years ago that > > Microsoft would stop other activities for a month and fix > > their security. > > I wonder if this is the same Bill Gates who then doubled that time off new > development (note - he doesn't talk about security as a finished job), and > mandates the reading of the book "Writing Secure Code", amongst other > things. > > But Bill isn't the only person at Microsoft, and it's really important that > a large number of people at Microsoft "get it". Bill's job, when he turns > up to these things, is essentially to say whatever Microsoft's game plan is, > currently, not to impress us that he has found religion. What's key is the > number of other people within Microsoft that "get security". As a Security > MVP, I get to spend time with some of these people, and they really do seem > to have a clue - I should know, I fill their inboxes with whatever my latest > pontifications on security are, and I read the responses I get back very > carefully. > > Microsoft has a lot of code to contend with, and much of it is old - so a > lot of it has had to be scrubbed clean of imperfections, and some has had to > be re-written. And yet, they're actually _doing_ it. How many people are > howling about the decision to remove the non-RFC http format that's used by > so many scammers and spammers? How many people are going to howl that > enabling the firewall by default in SP2 makes life "harder" for them? There > are some very tough decisions being made in the right direction here, I > think. > > Alun. > > -- > Texas Imperial Software | Find us at http://www.wftpd.com or email > 1602 Harvest Moon Place | [EMAIL PROTECTED] > Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. > Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer. > > > >
RE: [SC-L] Any software security news from the RSA conference?
At 5:58 PM -0600 2/27/04, Alun Jones wrote: >Microsoft has a lot of code to contend with, and much of it is old - so a >lot of it has had to be scrubbed clean of imperfections, and some has had to >be re-written. A few years ago I heard the problem described as the opposite - that for Windows V.something about 30% of the existing code was entirely replaced (compared to corrected), which is more than _any_ organization can handle safely on a project of that size.
RE: [SC-L] Any software security news from the RSA conference?
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of ljknews > Sent: Friday, February 27, 2004 9:51 AM > > You must be thinking of a different Bill Gates than the one familiar > to me. I am thinking of the one who announced a few years ago that > Microsoft would stop other activities for a month and fix > their security. I wonder if this is the same Bill Gates who then doubled that time off new development (note - he doesn't talk about security as a finished job), and mandates the reading of the book "Writing Secure Code", amongst other things. But Bill isn't the only person at Microsoft, and it's really important that a large number of people at Microsoft "get it". Bill's job, when he turns up to these things, is essentially to say whatever Microsoft's game plan is, currently, not to impress us that he has found religion. What's key is the number of other people within Microsoft that "get security". As a Security MVP, I get to spend time with some of these people, and they really do seem to have a clue - I should know, I fill their inboxes with whatever my latest pontifications on security are, and I read the responses I get back very carefully. Microsoft has a lot of code to contend with, and much of it is old - so a lot of it has had to be scrubbed clean of imperfections, and some has had to be re-written. And yet, they're actually _doing_ it. How many people are howling about the decision to remove the non-RFC http format that's used by so many scammers and spammers? How many people are going to howl that enabling the firewall by default in SP2 makes life "harder" for them? There are some very tough decisions being made in the right direction here, I think. Alun. -- Texas Imperial Software | Find us at http://www.wftpd.com or email 1602 Harvest Moon Place | [EMAIL PROTECTED] Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
Re: [SC-L] Any software security news from the RSA conference?
At 2:08 PM -0500 2/26/04, Bill Cheswick wrote: >Bill Gates gave a keynote on their current approach to security, and >the contents of SP2, due out 1H 2004. From what I heard, Bill >"gets it." He addressed about 4 of my top 6 complaints and remediations. >Quite a change from the rhetoric of five years ago. >But it is an Augean stable, and they have a long way to go. You must be thinking of a different Bill Gates than the one familiar to me. I am thinking of the one who announced a few years ago that Microsoft would stop other activities for a month and fix their security.
Re: [SC-L] Any software security news from the RSA conference?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 While I'm not there and not keeping up with it, I haven't really heard much about gates' keynote - im curious what exactly your top 6 complaints are? I think overall security wise with windows my top one is that its so over integrated and that it tramples itself security wise, but im curious to hear what others have to say On Thu, 26 Feb 2004, Bill Cheswick wrote: > Bill Gates gave a keynote on their current approach to security, and > the contents of SP2, due out 1H 2004. From what I heard, Bill > "gets it." He addressed about 4 of my top 6 complaints and remediations. > Quite a change from the rhetoric of five years ago. > But it is an Augean stable, and they have a long way to go. > > Of course, the devil is in the details, and we will have to see. > -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (OpenBSD) iD8DBQFAP6VJsKAeTAhLiCERAjdfAJ9vUy5n3OIsWKgurFD7wT7mF7umYgCePjXd B7Djz/Ca9Uc/jbGoTy5zRB8= =wSqk -END PGP SIGNATURE-
RE: [SC-L] Any software security news from the RSA conference?
http://www.dean.usma.edu/socs/ir/ss478/General%20Gordon%20Bio.pdf What John Gordon is doing giving a keynote at the RSA conference is utterly and completely beyond my ability to comprehend. If you read his bio at the link above, you'll find he has absolutely zero background in software or computer systems. He's obviously a smart cookie (ex-physicist at Air Force Weapons Lab, a stint at Sandia, etc) but he's not in any position to authoritatively say jack sqat about software vulnerabilities - unless there's something I'm not reading about his background. I love his perspective though .. Sure John, it's the DEVELOPERS fault that MANAGEMENT makes the promises and DEMANDS product be shipped two weeks before it's even spec'd. God, I sure do wish I had though of just spending more time debugging when the CEO was screaming at me.. "either you ship *IT* or I ship *YOU*". This also tells me he's completely unfamiliar with the concept of offshore outsourcing. psss.. hey, John .. A LOT OF THE CODE'S NOT EVEN WRITTEN HERE, BUDDY! :-) I'm glad I didn't go .. I would have felt cheated out of my admission fee by hearing the blathering of someone like this. Kind Regards (and in somewhat of a cranky mood), -dsp > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of Mark Curphey > Sent: Thursday, February 26, 2004 7:33 PM > To: [EMAIL PROTECTED] > Subject: Re: [SC-L] Any software security news from the RSA conference? > > > Looks like the link I was pointing to didn't make it > > Here it is again > > http://news.zdnet.co.uk/internet/security/0,39020375,39147413,00.htm > > And the text below > > Software makers could eliminate most current security issues if > they only tried harder, according to a Homeland Security advisor > > > An advisor to the US' Homeland Security Council has lashed out at > software developers, arguing their failure to deliver secure code > is responsible for most security threats. > > Retired lieutenant general John Gordon, presidential assistant > and advisor to the Homeland Security Council, used his keynote > address at the RSA Security conference in San Francisco on > Wednesday to question how much effort developers are putting into > ensuring their code is watertight. "This is a problem for every > company that writes software. It cannot be beyond our ability to > learn how to write and distribute software with much higher > standards of care and much reduced rate of errors and much > reduced set of vulnerabilities," he said. > > Gordon's keynote followed a day after that of Microsoft chairman > Bill Gates. > > According to Gordon, if developers could reduce the error and > vulnerability rate by a factor of 10, it would "probably > eliminate something like 90 percent of the current security > threats and vulnerabilities. > > "Once we start writing and deploying secure code, every other > problem in cybersecurity is fundamentally more manageable as we > close off possible points of attack," he said. > > Gordon also criticised wireless network manufacturers for making > encryption too difficult to deploy, even for "technically > competent" users. He made the comments after explaining that he > had spent a long weekend trying to set up a Wi-Fi network at his house. > > "One manufacturer got to invest an entire man-day of tech support > and about eight hours of telephone charges. At the end of the > day, I still had not accomplished a successful installation," > said Gordon, who eventually managed to get the network running by > "taking some steps that were not in the documentation". > > However, he said the documentation didn't make it clear how to > secure his network: "The industry needs to make it easy for users > like me -- who are reasonably technically competent -- to employ > solid security features and not make it so tempting to simply > ignore security." > > > > Mark Curphey <[EMAIL PROTECTED]> wrote: > > I thought this was interesting. I missed it but I am sure the > message will > > please many on this list (myself included) > > > > Bill Cheswick <[EMAIL PROTECTED]> wrote: > > > Bill Gates gave a keynote on their current approach to security, and > > > the contents of SP2, due out 1H 2004. From what I heard, Bill > > > "gets it." He addressed about 4 of my top 6 complaints and > remediations. > > > Quite a change from the rhetoric of five years ago. > > > But it is an Augean stable, and they have a long way to go. > > > > > > Of course, the devil is in the
Humor: Re: [SC-L] Any software security news from the RSA conference?
On Thu February 26 2004 19:32, Mark Curphey quoted: > According to Gordon, if developers could reduce the error and > vulnerability rate by a factor of 10, it would "probably eliminate > something like 90 percent of the current security threats and > vulnerabilities. This factoid brought to you by the Department of Tautology [Ed. *grin* I recall a Dilbert in which Wally informed a panic-stricken pointy-haired-boss that a _full_ 40 percent of the department's absenteeism occurs on Mondays and Fridays... Have a great weekend, everybody. :-) KRvW]
RE: [SC-L] Any software security news from the RSA conference?
I am here at RSA waving around the software security banner. This is my first time at RSA. We certainly talked about this at my panel with Ches, Avi Rubin, and Paul Kocher. Also, I am busy talking about Exploiting Software with the trade press, and that is going well. Software security is getting a decent amount of airplay in booth land. Check out TechTV tomorrow at 7pm EST [UTC -0500] for live software foo on Screensavers. gem This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You.
Re: [SC-L] Any software security news from the RSA conference?
I thought this was interesting. I missed it but I am sure the message will please many on this list (myself included) Bill Cheswick <[EMAIL PROTECTED]> wrote: > Bill Gates gave a keynote on their current approach to security, and > the contents of SP2, due out 1H 2004. From what I heard, Bill > "gets it." He addressed about 4 of my top 6 complaints and remediations. > Quite a change from the rhetoric of five years ago. > But it is an Augean stable, and they have a long way to go. > > Of course, the devil is in the details, and we will have to see. > > On Wed, Feb 25, 2004 at 02:38:32PM -0500, Kenneth R. van Wyk wrote: > > Greetings, > > > > It's been a rather quiet week so far here on SC-L. I guess that everyone > > is either at the RSA conference (http://2004.rsaconference.com/) or > > otherwise too busy. I've been watching some of the reports that have been > > appearing in the trade press regarding announcements and such at the RSA > > conference > > (http://news.com.com/2009-7355_3-5163628.html?part=rss&tag=feed&subj). > > Most of the announcements seem to me to focus on new and upcoming products. > > While that's all well and good, I don't see anyone addressing issues of > > software security -- which probably shouldn't come as much of a surprise > > since software security is not even addressed in the conference > > theme/agenda (http://2004.rsaconference.com/agenda.aspx). Disappointing... > > > > Perhaps some kind SC-L subscriber that's at the conference will pass along > > any "software security sightings"? ;-) > > > > Cheers, > > > > Ken van Wyk > > -- > > KRvW Associates, LLC > > http://www.KRvW.com > > > > > >
Re: [SC-L] Any software security news from the RSA conference?
Bill Gates gave a keynote on their current approach to security, and the contents of SP2, due out 1H 2004. From what I heard, Bill "gets it." He addressed about 4 of my top 6 complaints and remediations. Quite a change from the rhetoric of five years ago. But it is an Augean stable, and they have a long way to go. Of course, the devil is in the details, and we will have to see. On Wed, Feb 25, 2004 at 02:38:32PM -0500, Kenneth R. van Wyk wrote: > Greetings, > > It's been a rather quiet week so far here on SC-L. I guess that everyone > is either at the RSA conference (http://2004.rsaconference.com/) or > otherwise too busy. I've been watching some of the reports that have been > appearing in the trade press regarding announcements and such at the RSA > conference > (http://news.com.com/2009-7355_3-5163628.html?part=rss&tag=feed&subj). > Most of the announcements seem to me to focus on new and upcoming products. > While that's all well and good, I don't see anyone addressing issues of > software security -- which probably shouldn't come as much of a surprise > since software security is not even addressed in the conference > theme/agenda (http://2004.rsaconference.com/agenda.aspx). Disappointing... > > Perhaps some kind SC-L subscriber that's at the conference will pass along > any "software security sightings"? ;-) > > Cheers, > > Ken van Wyk > -- > KRvW Associates, LLC > http://www.KRvW.com
Re: [SC-L] Any software security news from the RSA conference?
Looks like the link I was pointing to didn't make it Here it is again http://news.zdnet.co.uk/internet/security/0,39020375,39147413,00.htm And the text below Software makers could eliminate most current security issues if they only tried harder, according to a Homeland Security advisor An advisor to the US' Homeland Security Council has lashed out at software developers, arguing their failure to deliver secure code is responsible for most security threats. Retired lieutenant general John Gordon, presidential assistant and advisor to the Homeland Security Council, used his keynote address at the RSA Security conference in San Francisco on Wednesday to question how much effort developers are putting into ensuring their code is watertight. "This is a problem for every company that writes software. It cannot be beyond our ability to learn how to write and distribute software with much higher standards of care and much reduced rate of errors and much reduced set of vulnerabilities," he said. Gordon's keynote followed a day after that of Microsoft chairman Bill Gates. According to Gordon, if developers could reduce the error and vulnerability rate by a factor of 10, it would "probably eliminate something like 90 percent of the current security threats and vulnerabilities. "Once we start writing and deploying secure code, every other problem in cybersecurity is fundamentally more manageable as we close off possible points of attack," he said. Gordon also criticised wireless network manufacturers for making encryption too difficult to deploy, even for "technically competent" users. He made the comments after explaining that he had spent a long weekend trying to set up a Wi-Fi network at his house. "One manufacturer got to invest an entire man-day of tech support and about eight hours of telephone charges. At the end of the day, I still had not accomplished a successful installation," said Gordon, who eventually managed to get the network running by "taking some steps that were not in the documentation". However, he said the documentation didn't make it clear how to secure his network: "The industry needs to make it easy for users like me -- who are reasonably technically competent -- to employ solid security features and not make it so tempting to simply ignore security." Mark Curphey <[EMAIL PROTECTED]> wrote: > I thought this was interesting. I missed it but I am sure the message will > please many on this list (myself included) > > Bill Cheswick <[EMAIL PROTECTED]> wrote: > > Bill Gates gave a keynote on their current approach to security, and > > the contents of SP2, due out 1H 2004. From what I heard, Bill > > "gets it." He addressed about 4 of my top 6 complaints and remediations. > > Quite a change from the rhetoric of five years ago. > > But it is an Augean stable, and they have a long way to go. > > > > Of course, the devil is in the details, and we will have to see. > > > > On Wed, Feb 25, 2004 at 02:38:32PM -0500, Kenneth R. van Wyk wrote: > > > Greetings, > > > > > > It's been a rather quiet week so far here on SC-L. I guess that everyone > > > is either at the RSA conference (http://2004.rsaconference.com/) or > > > otherwise too busy. I've been watching some of the reports that have been > > > appearing in the trade press regarding announcements and such at the RSA > > > conference > > > (http://news.com.com/2009-7355_3-5163628.html?part=rss&tag=feed&subj). > > > Most of the announcements seem to me to focus on new and upcoming products. > > > While that's all well and good, I don't see anyone addressing issues of > > > software security -- which probably shouldn't come as much of a surprise > > > since software security is not even addressed in the conference > > > theme/agenda (http://2004.rsaconference.com/agenda.aspx). Disappointing... > > > > > > Perhaps some kind SC-L subscriber that's at the conference will pass along > > > any "software security sightings"? ;-) > > > > > > Cheers, > > > > > > Ken van Wyk > > > -- > > > KRvW Associates, LLC > > > http://www.KRvW.com > > > > > > > > > > > > > > > > > >