[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200406261021.00455.radoslav.dejanovic@opsus.hr>
Date: Sat, 26 Jun 2004 10:21:00 +0200
From: Radoslav Dejanović <radoslav.dejanovic@...us.hr>
To: bugtraq@...urityfocus.com
Subject: Re: Microsoft and Security
On Friday 25 June 2004 20:53, http-equiv@...ite.com wrote:
> What's happening here. Where is the Microsoft representative
> explaining all of this to the shareholders and "customers" they
> so dearly wish to protect. This is unacceptable. Someone must
> be held accountable.
Although I do agree on most of your words, I hardly find this list
appropriate for such rants. You're talking to people who already know
this, and do not forget that Microsoft doesn't play security game like
Open Source people do. It is two different worlds, really. While OS people
might just sit down, write a patch and publish it, MS people would have to
write patch, submit it to QA, see that it doesn't break something else,
see that it doesn't make the end-user experience less comfortable, and
only then release it to the public (takes time, doesn't it?).
The latter is a really good discussion point: while OS people in most cases
do care about making end-users life easier, in cases like that it is
always "shut up and patch up" stance coming from OS developers, which does
turn some end-users away from using OS software, but improves in overall
security. However, MS would think twice if they have to do something that
would make end-users uneasy because it would force them to change the way
they do with their computers - XP service pack 2, if it is true that it
might break a lot of existing applications due to severe changes in the
kernel, is a good example. Customer satisfaction plays a great role for MS
(this is just how it should be in any business), but it seems that they're
willing to sacrifice a lot to keep customers belive they're using the most
comfortable software in this part of Universe.
Technically, it wouldn't be too hard to do very few steps that could
eradicate worms/viruses issue as it is present today: if MS would stop
shipping MSIE and OE to force people to use third party software, and if
they disable some of the features of scripting language used in MS Office,
they would disintegrate this monoculture and provide harsh ground for new
malware. It isn't so hard to do, but there's this question of end-user
experience. People do love to have all those nifty features, although they
use 10-20% of them (but "let it just sit there, you never know..."); take
most of that unneeded features away, and your customer satisfaction starts
to slip. They might be more secure, but they wouldn't like it. End-users,
that is. You have to keep them happy, in one way or another.
Now, why MS failed to fix this problem is beyond my comprehension, but it
isn't first time it took them a lot of time to provide a fix. However, it
seems that this doesn't hurt their sales. This might be because all that
customers care about is if they can do something with some tool, not how
secure (and reliable) it is. If it wasn't that way, we would talk about
majority of people using Linux or MacOS and OpenOffice, wouldn't we?
Ah, and apropos your accountability question - haven't you read your
EULA? ;-)
--
Radoslav Dejanović
founder and director
Operacijski sustavi d.o.o.
http://www.opsus.hr
Powered by blists - more mailing lists