[ale] AT&T Broadband blocking inbound http?

Stephen Lastinger s.lastinger at computernetdesign.com
Mon Aug 13 07:35:22 EDT 2001


On Mon, 13 Aug 2001, Transam at cavu.com wrote:
> Subject: Re: [ale] AT&T Broadband blocking inbound http?
>
> > God help me!!! I'm about to defend Microsoft on a Linux mailing list!!!
>
> > Actually, while Microsoft's reputation for "out of the box" security
> > is absolutely horrible, their cooperation with the Security Community
> > "after the fact" is quite good. They DO release patches within reasonable
> > time frame. They DO admit their screw-ups (all too often). And they
> > DO cooperate with others when developing bug fixes. Scott Culp has
> > put an awful lot of work into improving the MS reputation within the
> > Security Community. His efforts are paying dividends.  The patch for this
> > particular bug was released fairly soon after it was discovered. It's
> > not their fault that everyone ignored the warnings. But...and this is
> > a big-ass but...they did fail to patch half the servers on the Hotmail
> > development network and they have scanned me repeatedly costing me
> > Trillions!!!!
> > </tongue in cheek>
>
> > Jonathan Rickman
> > X Corps Security
> > http://www.xcorps.net


> Don't congratulate them too much on their cooperation.
>
> The ONLY reason why they cooperate is because when they didn't, they suffered
> the consequences.  Back then, "white hats" followed standard protocol: they
> warned the vendor of security holes and told them that they'd better get
> off their BLEEP and provide patches in X days.  After X days the holes would
> be revealed to all on popular security lists (also read by crackers).
>
> After lots of embarrassment and ignored threats from M$ lawyers, M$ realized
> that they had no alternative and started issuing patches quickly, before X
> days passed (X typically being 5-30).
>
> Bob
> transam at cavu.com                       [Bob's ALE Bulk email]
> bob at cavu.com                           [Please use for email to me]


Exactally.  Remember a few years ago when the first round of outlook worms
that used the address book hit.  These propagated like crazy because in
that version, in order to use the preview feature of the the
commercial version of outlook, the program automatically opened the
attachment! (Asinine and insane, but "userfriendly" to someone with a
min. working knowledge of computers)

It took microsoft about 3 1/2 months to issue a patch for this!
(Of course, I don't think the issue was that is was *sooooo hard* to
create a patch for this program, the issue was M$'s desire to issue a fix
in the next commercial version of the product--forcing customers to BUY the
upgrade, rather than making available a free patch and potentially losing
sales and upgrade revenue!)

Don't get me wrong.  I've worked for quite a few commercial s/w
developers over these past few years in varying capacities, and have
nothing against profit for commercially developed s/w.  However, I
draw the line at holding out on customer service, forced upgrades,
deliberately compromising the security of a customer to make even greater
profits.  These are policies I find despicable.  This is a (one of many
actually!) reason that whenever there is an open or free sourced
alternative I will use it....especially over a M$ one!

....course on this point, I'm probably just preaching to the choir.
: )

*Stephen steps down from the pulpit*

-Stephen

--
Stephen Lastinger	 - s.lastinger at computernetdesign.com
Computer Network Design,Inc.  - http://www.computernetdesign.com

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list