| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 17 Mar 2007 13:20:44 -0400 From: "Alex Eckelberry" <AlexE@...belt-software.com> To: "Jim Harrison" <Jim@...tools.org>, "Mark Litchfield" <Mark@...software.com>, <bugtraq@...urityfocus.com>, <vulnwatch@...nwatch.org>, <full-disclosure@...ts.netsys.com> Subject: RE: Your Opinion Actually, I have a hard time understanding why it isn't a conflict of interest -- at least in theory (perhaps not in practice). Security apps sell in direct proportion to infection rates, fear of infection, etc. In the case of Msft, the more exploits they have in the browser, the more security apps they can sell. The less secure the operating system is, the more the vendor can sell security apps. And so on. Thompson is right, in that it is a theoretical conflict of interest. I suppose the real question is: Is it the same from a practical perspective. Alex Eckelberry -----Original Message----- From: Jim Harrison [mailto:Jim@...tools.org] Sent: Friday, March 16, 2007 6:55 PM To: Mark Litchfield; bugtraq@...urityfocus.com; vulnwatch@...nwatch.org; full-disclosure@...ts.netsys.com Subject: RE: Your Opinion Thanx, Mark One phrase; "consider the source". The expert participant in this interview is (catch me before I faint) - Symantec CEO John Thompson. Symantec and other security vendors have had more than ample opportunity to get in this game and it wasn't until Vista hit the Beta track that Symantec folks even started noticing that their hooks were (re)moved. It's a potentially questionable process that uses the same mechanisms as the malware they seek to defend against. Yes, I know; "think like a criminal"... I agree that functional and security patches should be free (and they are), but software packages to protect Jo(sephin)e User from their propensity for digital self-abuse should be sold. You want me to protect you from your own actions? - pay me. This is the basis for most consultant businesses. The argument that the OS vender shouldn't "get into the security game" is self-serving at best (remember the source?). Thanks to recent EU and DoJ decisions, no one can argue that "they don't have access to the same information as MS teams". This is freely available on MSDN and if you want protocol specifics, to anyone willing to sign a licensing agreement with MS. IMHO, he's just plain wrong and is only making "they're being meanie-poo-poo-heads" noises. Jim -----Original Message----- From: Mark Litchfield [mailto:Mark@...software.com] Sent: Friday, March 16, 2007 11:49 AM To: bugtraq@...urityfocus.com; vulnwatch@...nwatch.org; full-disclosure@...ts.netsys.com Subject: Your Opinion I have heard the comment "It's a huge conflict of interest" for one company to provide both an operating platform and a security platform" made by John Thompson (CEO Symantec) many times from many different people. See article below. http://www2.csoonline.com/blog_view.html?CID=32554 In my personal opinion, regardless of the vendor, if they create an OS, why would it be a conflict of interest for them to want to protect their own OS from attack. One would assume that this is a responsible approach by the vendor, but one could also argue that their OS should be coded securely in the first place. If this were to happen then the need for the Symantec's, McAfee's of the world would some what diminsh. Anyway I am just curious as to what other people think. Thanks in advance Mark All mail to and from this domain is GFI-scanned. ....
Powered by blists - more mailing lists