lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: jasonc at science.org (Jason Coombs)
Subject: Microsoft wins Homeland Security Bid ( Reuters)

Aloha, Brad.

Nice essay. However, you miss the point entirely. It is inappropriate to give
Microsoft the benefit of the doubt.

U.S. taxpayer money literally pours into Microsoft's coffers, the present
contract win being just one example. In return, U.S. citizens receive a
government that is unable to comprehend the most basic of information security
concepts because the computing platform used by so much of the U.S. government
is substandard and the vendors more concerned with appearances than provable
security.

> Microsoft products can actually provide a great deal of security
> (so long as you can implement an effective patch management
> solution on top of your host hardening procedures).
...
> Microsoft is going to work very hard with the DHS to provide a
> secure baseline

Microsoft will have to work hard, because they'll be working against
themselves more than anyone else, and they are a formidable adversary. Perhaps
you do not understand what Microsoft did when they designed their "Baseline
Security Analyzer" software... By design this software performs as little
scanning as possible so that the results of its analysis more often reveal
"your baseline security is great!" -- they intentionally crippled this tool's
capabilities, giving admins a false sense of security and contributing to the
emergence of SQL Slammer. You're saying that you wish to both forgive them
(and obviously, forget their past bad acts) and presume that they will never
do such a thing again... I sure hope you don't vote and that you never find
yourself burdened with the power to make important decisions.

> security is a process, not a product.

The first step in this process is to select technology and vendors that do not
actively work against the interests and requirements of security.

> Comments stating that Microsoft will be incapable of providing an
> appropriate service (or at least a service comparable to any
> competitor in the marketplace) are biased and without merit.

There is nothing wrong with bias; in fact, it is an essential security
countermeasure.

You are correct, though, that comments stating that Microsoft will be
incapable of providing an appropriate service to the U.S. government are
without merit -- provided that Microsoft selects Linux as the OS and minimizes
the number of features and the amount of software they deploy, they surely are
capable of providing a service that is comparable to any competitor in the
marketplace. They're smart people. The problem is that these smart people are
forced to haul around a stinking mess of insecure code in order to advance
their corporate brand marketing interests every time they do a job. This is
just plain harmful, and it has no place in government computing paid for by
taxpayers.

Sincerely,

Jason Coombs
jasonc@...ence.org

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Brad Bemis
Sent: Wednesday, July 16, 2003 6:22 AM
To: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Microsoft wins Homeland Security Bid (
Reuters)


I find it interesting that so many negative comments have been made about
this.

...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ