[Full-Disclosure] Gates: 'You don't need perfect code' for good security

Fri Oct 31 22:43:16 UTC 2003

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=Xns94258238F273Cbruns2mbitcom%40130.133.1.4

>From my post to the NANAE newsgroup...

My favorite quote is...

BG: Until we had this concept of Web services, software on the Internet
couldn't talk to other software on the Internet. The only thing that worked
was you could move bits - that's TCP/IP - or you could put up screens -
that's HTML - but software couldn't talk to software.

Its good to know my Putty application can't talk to my OpenSSH server, or
that my EXIM mail server can't actually talk to other mail servers.

:-)

--------------------------
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.sosdg.org

The AHBL - http://www.ahbl.org
----- Original Message ----- 
From: "james" <hackerwacker at cybermesa.com>
To: <nanog at nanog.org>
Sent: Friday, October 31, 2003 5:00 PM
Subject: Fw: [Full-Disclosure] Gates: 'You don't need perfect code' for good
security

>
> One word.... HA !
>
> james
> ----- Original Message ----- 
> From: "Jeremiah Cornelius" <>
> To: <full-disclosure at lists.netsys.com>
> Sent: Friday, October 31, 2003 11:32 AM
> Subject: [Full-Disclosure] Gates: 'You don't need perfect code' for good
security
>
>
> : -----BEGIN PGP SIGNED MESSAGE-----
> : Hash: SHA1
> :
> : FLAME ON!
> :
> : http://www.itbusiness.ca/index.asp?theaction=61&sid=53897
> :
> : "But there are two other techniques: one is called firewalling and the
other
> : is called keeping the software up to date. None of these problems
(viruses
> : and worms) happened to people who did either one of those things. If you
had
> : your firewall set up the right way - and when I say firewall I include
> : scanning e-mail and scanning file transfer -- you wouldn't have had a
> : problem. But did we have the tools that made that easy and automatic and
that
> : you could really audit that you had done it? No. Microsoft in particular
and
> : the industry in general didn't have it."
> :
> : "The second is just the updating thing. Anybody who kept their software
up to
> : date didn't run into any of those problems, because the fixes preceded
the
> : exploit. Now the times between when the vulnerability was published and
when
> : somebody has exploited it, those have been going down, but in every case
at
> : this stage we've had the fix out before the exploit. So next is making
it
> : easy to do the updating, not for general features but just for the very
few
> : critical security things, and then reducing the size of those patches,
and
> : reducing the frequency of the patches, which gets you back to the code
> : quality issues. We have to bring these things to bear, and the very
dramatic
> : things that we can do in the short term have to do with the firewalls
and the
> : updating infrastructure. "
> : -----BEGIN PGP SIGNATURE-----
> : Version: GnuPG v1.2.3 (GNU/Linux)
> :
> : iD8DBQE/oqq3Ji2cv3XsiSARAlkdAJ0aGkBViYkoE193iZycTmQZohzwbQCg1KDA
> : SjPLY1EEzamQCtIGKwJT1Vk=
> : =mIsY
> : -----END PGP SIGNATURE-----
> :
> : _______________________________________________
> : Full-Disclosure - We believe in it.
> : Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> James Edwards
> Routing and Security Administrator
> jamesh at cybermesa.com
> At the Santa Fe Office: Internet at Cyber Mesa
> Store hours: 9-6 Monday through Friday
> 505-988-9200 SIP:1(747)669-1965
>