| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 26 Jun 2004 10:21:00 +0200 From: Radoslav Dejanović <radoslav.dejanovic@...us.hr> To: bugtraq@...urityfocus.com Subject: Re: Microsoft and Security On Friday 25 June 2004 20:53, http-equiv@...ite.com wrote: > What's happening here. Where is the Microsoft representative > explaining all of this to the shareholders and "customers" they > so dearly wish to protect. This is unacceptable. Someone must > be held accountable. Although I do agree on most of your words, I hardly find this list appropriate for such rants. You're talking to people who already know this, and do not forget that Microsoft doesn't play security game like Open Source people do. It is two different worlds, really. While OS people might just sit down, write a patch and publish it, MS people would have to write patch, submit it to QA, see that it doesn't break something else, see that it doesn't make the end-user experience less comfortable, and only then release it to the public (takes time, doesn't it?). The latter is a really good discussion point: while OS people in most cases do care about making end-users life easier, in cases like that it is always "shut up and patch up" stance coming from OS developers, which does turn some end-users away from using OS software, but improves in overall security. However, MS would think twice if they have to do something that would make end-users uneasy because it would force them to change the way they do with their computers - XP service pack 2, if it is true that it might break a lot of existing applications due to severe changes in the kernel, is a good example. Customer satisfaction plays a great role for MS (this is just how it should be in any business), but it seems that they're willing to sacrifice a lot to keep customers belive they're using the most comfortable software in this part of Universe. Technically, it wouldn't be too hard to do very few steps that could eradicate worms/viruses issue as it is present today: if MS would stop shipping MSIE and OE to force people to use third party software, and if they disable some of the features of scripting language used in MS Office, they would disintegrate this monoculture and provide harsh ground for new malware. It isn't so hard to do, but there's this question of end-user experience. People do love to have all those nifty features, although they use 10-20% of them (but "let it just sit there, you never know..."); take most of that unneeded features away, and your customer satisfaction starts to slip. They might be more secure, but they wouldn't like it. End-users, that is. You have to keep them happy, in one way or another. Now, why MS failed to fix this problem is beyond my comprehension, but it isn't first time it took them a lot of time to provide a fix. However, it seems that this doesn't hurt their sales. This might be because all that customers care about is if they can do something with some tool, not how secure (and reliable) it is. If it wasn't that way, we would talk about majority of people using Linux or MacOS and OpenOffice, wouldn't we? Ah, and apropos your accountability question - haven't you read your EULA? ;-) -- Radoslav Dejanović founder and director Operacijski sustavi d.o.o. http://www.opsus.hr
Powered by blists - more mailing lists