lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200406261021.00455.radoslav.dejanovic@opsus.hr>
Date: Sat, 26 Jun 2004 10:21:00 +0200
From: Radoslav Dejanović <radoslav.dejanovic@...us.hr>
To: bugtraq@...urityfocus.com
Subject: Re: Microsoft and Security


On Friday 25 June 2004 20:53, http-equiv@...ite.com wrote:
> What's happening here. Where is the Microsoft representative
> explaining all of this to the shareholders and "customers" they
> so dearly wish to protect.  This is unacceptable.  Someone must
> be held accountable.

Although I do agree on most of your words, I hardly find this list 
appropriate for such rants. You're talking to people who already know 
this, and do not forget that Microsoft doesn't play security game like 
Open Source people do. It is two different worlds, really. While OS people 
might just sit down, write a patch and publish it, MS people would have to 
write patch, submit it to QA, see that it doesn't break something else, 
see that it doesn't make the end-user experience less comfortable, and 
only then release it to the public (takes time, doesn't it?).

The latter is a really good discussion point: while OS people in most cases 
do care about making end-users life easier, in cases like that it is 
always "shut up and patch up" stance coming from OS developers, which does 
turn some end-users away from using OS software, but improves in overall 
security. However, MS would think twice if they have to do something that 
would make end-users uneasy because it would force them to change the way 
they do with their computers - XP service pack 2, if it is true that it 
might break a lot of existing applications due to severe changes in the 
kernel, is a good example. Customer satisfaction plays a great role for MS 
(this is just how it should be in any business), but it seems that they're 
willing to sacrifice a lot to keep customers belive they're using the most 
comfortable software in this part of Universe. 

Technically, it wouldn't be too hard to do very few steps that could 
eradicate worms/viruses issue as it is present today: if MS would stop 
shipping MSIE and OE to force people to use third party software, and if 
they disable some of the features of scripting language used in MS Office, 
they would disintegrate this monoculture and provide harsh ground for new 
malware. It isn't so hard to do, but there's this question of end-user 
experience. People do love to have all those nifty features, although they 
use 10-20% of them (but "let it just sit there, you never know..."); take 
most of that unneeded features away, and your customer satisfaction starts 
to slip. They might be more secure, but they wouldn't like it. End-users, 
that is. You have to keep them happy, in one way or another. 
Now, why MS failed to fix this problem is beyond my comprehension, but it 
isn't first time it took them a lot of time to provide a fix. However, it 
seems that this doesn't hurt their sales. This might be because all that 
customers care about is if they can do something with some tool, not how 
secure (and reliable) it is. If it wasn't that way, we would talk about 
majority of people using Linux or MacOS and OpenOffice, wouldn't we?

Ah, and apropos your accountability question - haven't you read your 
EULA? ;-)


-- 
Radoslav Dejanović
founder and director
Operacijski sustavi d.o.o.
http://www.opsus.hr


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ