Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

[News] Free Software Gets Security Boost, Microsoft Hugely Negligent

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Response Team Boosts Open Source Security

,----[ Quote ]
| All in all, oCERT sounds like a worthwhile project that will provide a 
| valuable service to the community of open source vendors and customers. Let's 
| hope it wins enough support to sustain itself for the long run. (That name 
| might be a problem, for starters -- CERT is a trademark of Carnegie Mellon 
| University.)    
`----

http://www.pcworld.com/businesscenter/blogs/mcallister_on_software/145566/response_team_boosts_open_source_security.html

Pondering when your next break-in will happen

,----[ Quote ]
| I mean how much trust can you have in say, Microsoft, which has, nine 
| count 'em nine "high risk" vulnerabilities. Three of those have been on the 
|       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| list for more than a year, and one is closing in on its second birthday.  
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^| 
| In all fairness, Microsoft isn't the only bad egg. Computer Associates, IBM, 
| Novell and HP also make multiple appearances on the list. 
| 
| Still, it does make me wonder. How long exactly can some of those ancient 
| security holes go unfixed before someone else discovers them? Say someone who 
| will immediately put his discovery to use by quietly infecting a few million 
| Windows PCs?   
`----

http://blogs.computerworld.com/pondering_when_your_next_break_in_will_happen

Other flaws they just sweep under the rug too. Not anymore:

Hacker marketplace to help build 0day appliance

,----[ Quote ]
| WabiSabiLabi, the company best known for building an online marketplace for 
| security flaws, is getting into the hardware business. 
`----

http://www.linuxworld.com.au/index.php?id=307887698&rid=-50


Recent:

What spooks Microsoft's chief security advisor

,----[ Quote ]
| Speaking at the Boston SecureWorld conference Wednesday, the 19-year 
| Microsoft veteran whose job includes protecting enterprises, developers and 
| Microsoft itself said there actually is plenty of good news on the security 
| front. For example, his outfit scans a half million devices (with customer 
| permission) per month and in the first half of last year saw the first 
| period-over-period decline in new vulnerabilities disclosed across Microsoft 
| and non-Microsoft software since 2003.      
| 
| However, 3,400 new vulnerabilities were discovered and “it’s still a big 
| number,” Arsenault says. “So if vulnerability rates are down, where are 
| they?”  
`----

http://www.networkworld.com/news/2008/032608-microsoft-security-concerns.html


With Vista breached, Linux unbeaten in hacking contest

,----[ Quote ]
| The MacBook Air went first; a tiny Fujitsu laptop running Vista was hacked on 
| the last day of the contest; but it was Linux, running on a Sony Vaio, that 
| remained undefeated as conference organizers ended a three-way computer 
| hacking challenge Friday at the CanSecWest conference.   
`----

http://www.linuxworld.com/news/2008/032908-with-vista-breached-linux-unbeaten.html?fsrc=rss-linux-news


Bots rule in cyberspace

,----[ Quote ] 
| USA TODAY REPORTS that on an average day, 40 per cent of the 800 million 
| computers connected to the Internet are bots used to send out spam, viruses 
| and to mine for sensitive personal data.  
`----

http://www.theinquirer.net/gb/inquirer/news/2008/03/17/bots-rule-cyberspace
http://www.usatoday.com/tech/news/computersecurity/2008-03-16-computer-botnets_N.htm


Vista SP1 will contain undocumented fixes

,----[ Quote ]
| Interesting email in today mailbag:  “Will SP1 contain undisclosed or 
| undocumented security fixes?” 
| 
| For some people, counting the number of security flaws that one OS has 
| compared to another is important because it offers a metric upon which to  
| determine which OS is the most secure (personally, I feel that it’s a bogus 
| metric, but I’ll let it slide for now).  However, many claim that Microsoft 
| stacks the deck in its favor by not disclosing a full list of vulnerabilities 
| that have been patched by omitting to include those discovered and patched 
| in-house.      
`----

http://blogs.zdnet.com/hardware/?p=1225


Related:

Critical Vulnerability in Microsoft Metrics

,----[ Quote ]
| This is a small subset of all the vulnerabilities, because the 
| vulnerabilities that are found through the QA process and the vulnerabilities 
| that are found by the security folks they engage as contractors to perform 
| penetration testing are fixed in service packs and major updates. For 
| Microsoft this makes sense because these fixes get the benefit of a full test 
| pass which is much more robust for a service pack or major release than it is 
| for a security update.      
`----

http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/


Skeletons in Microsoft’s Patch Day closet

,----[ Quote ]
| This is the first time I’ve seen Microsoft prominently admit to silently 
| fixing vulnerabilities in its bulletins — a controversial practice that 
| effectively reduces the number of publicly documented bug fixes (for those 
| keeping count) and affects patch management/deployment decisions.   
`----

http://blogs.zdnet.com/security/?p=316


Beware of undisclosed Microsoft patches

,----[ Quote ]
| Forget for a moment whether Microsoft is throwing off patch counts 
| that Microsoft brass use to compare its security record with those 
| of its competitors. What do you think of Redmond’s silent patching 
| practice?
`----

http://blogs.zdnet.com/microsoft/?p=527


Microsoft is Counting Bugs Again

,----[ Quote ]
| Sorry, but Microsoft's self-evaluating security counting isn't really a 
| good accounting.
| 
| [...]
| 
| The point: Don't count on security flaw counting. The real flaw is 
| the counting.
`----

http://www.microsoft-watch.com/content/security/microsoft_is_counting_bugs_again.html?kc=MWRSS02129TX1K0000535
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIIWdBU4xAY3RXLo4RApXyAJ0fqRxacfdAfQy44gS7Dg7+J0rUpgCfU5ad
RPKR023QD65sj7aFwWcZ2eY=
=mb2I
-----END PGP SIGNATURE-----

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index