Re: Microsoft, CNET, BUGTRAQ and the 'land' attack

Aleph One (aleph1@DFW.NET)
Tue, 09 Dec 1997 23:22:18 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Aleph One: "Re: Yahoo hacked"
Previous message: Aleph One: "MIT Kerberos V5 R1.0.4 is released"
Maybe in reply to: Geoffrey King: "Microsoft, CNET, BUGTRAQ and the 'land' attack"

I am forwarding just one more post on this topic. It is a subject more
appropiate for RISKS than BUGTRAQ but I'll use it as my soap box for the
day.

What follows is an anonymous message from an engineer at Microsoft in
response to the original post that started this thread.

---------- Forwarded message ----------
I mostly want to address Geoffrey's concerns about the public statement
for the "res://..." attack. I, too, was concerned to read the comment
that [MS could only reproduce a crash, which is not a security problem].

I tracked down the author of that quote, which required about 2 hours
of detective work, since there were many MS employees with the same last
name. The person in question is _not_ a software engineer; he is a
marketing type. He was quoted because a reporter phoned him directly.
Instead of checking with a developer, he tried the example home page and
noted that IE crashed for him. "Not a security hole," he thought. Sigh.

By the time I contacted him, MANY other MS devs had already done so. The
IE devs were well aware of the implications of the stack-smashing bug and
were at work fixing it. Our marketer had already been sufficiently
educated on the subject of crashes, security holes, and going on record
with insufficient information.

Lessons, believe it or not:
MS engineers are not unaware of exploit techniques.
Not all MS employees are engineers.
MS employees quoted by magazines are almost never engineers.

-------- End forwarded message --------

Which brings me to my rant of the day. It seems to me that in the rush to
the online world we have lost many things. In particular quality of almost
any kind, the most obvious being the lack of any difference now a days
between a beta or release software product.

But the one I have in mind right now is a difference type of quality. That
of quality jurnalism. All to often we see articles online that no paper
based newspaper or magazine would publish. Now this is not to say
that the are not high-quality jurnalist publishing online. I've
actually had the please to chat with some. But there is something
amiss.

Maybe its the ethereal nature of the medium. After all once you print
something on paper you can go back and recall the prints so you are
forced to make sure your facts are correct before performing that last
step. It is all to easy in online publications to update them and fix any
errors or omisions after the fact. You also have each publishing house
trying to beat each other on stories and datelines and all to often they
use some PR or markething person as a source for technical information
that the author does not understand to being with.

But maybe its just me.

</SOAPBOX>

Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01

Next message: Aleph One: "Re: Yahoo hacked"
Previous message: Aleph One: "MIT Kerberos V5 R1.0.4 is released"
Maybe in reply to: Geoffrey King: "Microsoft, CNET, BUGTRAQ and the 'land' attack"