lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 16 Mar 2007 15:36:00 -0400
From: "Jonathan Glass (GM)" <jonathan.glass@...il.com>
To: Mark Litchfield <Mark@...software.com>
Cc: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org,
	full-disclosure@...ts.netsys.com
Subject: Re: Your Opinion

Mark Litchfield wrote:

> I have heard the comment "It's a huge conflict of interest" for one 
> company to provide both an operating platform and a security platform" 
> made by John Thompson (CEO Symantec) many times from many different 
> people.  See article below.
>
> http://www2.csoonline.com/blog_view.html?CID=32554
>
> In my personal opinion, regardless of the vendor, if they create an 
> OS, why would it be a conflict of interest for them to want to protect 
> their own OS from attack.  One would assume that this is a responsible 
> approach by the vendor, but one could also argue that their OS should 
> be coded securely in the first place.  If this were to happen then the 
> need for the Symantec's, McAfee's of the world would some what diminsh.
>
> Anyway I am just curious as to what other people think.
>
> Thanks in advance
>
> Mark
>
I think it's a conflict of interest for the OS vendor to become a 
Security platform vendor for a couple of reasons.

First, if a vendor made security a priority in the SDLC for the OS and 
wrote secure code, then the security platform market wouldn't exist. 
It's good to see Microsoft making great strides in this area. 

Second, since they develop the operating system, they have a more 
detailed understanding of the potential vulnerabilities in their 
product.  Since they have this in-depth knowledge, they have to make a 
decision about protection.  Should they fix the problem with a free 
OS-patch and release it as part of their normal patch cycle?  Or, should 
they include 'protection' for these vulnerabilities in their 'security 
product' which is a premium add-on to their base OS product, and 
includes maintenance/licensing costs? 

If you're a conspiracy nut, or just a Microsoft-hater, you're more 
likely to believe the latter.  If you're a pro-Microsoft fan, then 
you're likely to believe the former.  Unfortunately, because Windows and 
the Microsoft security products are black boxes, we, the security 
community, have no way of knowing which choice they've made.

Third thought: If a company makes a security product, there's always the 
question as to whether or not the vendor makes securing the OS or 
improving the security product a priority.

Just the $0.02 of a raving lunatic.

Thanks

Jonathan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ