[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200407091521.i69FLZvB007951@turing-police.cc.vt.edu>
Date: Fri, 09 Jul 2004 11:21:35 -0400
From: Valdis.Kletnieks@...edu
To: Alun Jones <alun@...is.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Microsoft and Security
On Mon, 05 Jul 2004 16:10:36 PDT, Alun Jones <alun@...is.com> said:
> Microsoft employs people who care about producing good software. We're all
> indoctrinated from day one that our software is used by everyone - our
> parents, our neighbours, our children... It's perhaps a unique situation
> compared to producers of the other OSs, where the users are usually limited
> to particular sections of the community.
Yes, parts of Microsoft *are* trying to do better, but there's a limit to
what any single programmer can achieve without some serious buy-in from
high-level project leaders.
Unfortunately, there's obviously a disconnect at *some* level, because they
keep shipping software that's broken in very fundemental and recognized ways
(the concept of "zoned", ActiveX, and other such stuff we've known for *YEARS*
is a bad security idea). There's just too much lock-in to the concept that
since your software is used by everyone, it has to have all sorts of bells
and whistles to make life easier for everyone...
... including black hats.
Be honest now - how many times in their career has the average Microsoft
programmer been indoctrinated with "Be Featureful!", and how many times have
they heard "Be security-minded paranoids!"? Remember to count double/triple
scores for what they heard the first 6-9 months they were there and
absorbed the culture.
Proof that Microsoft still needs to re-educate some high-level people: the
fact that there was *any* thought given to making SP2 only install on
"legal" copies and locking out pirated copies. The number of people running
pirated copies that actually will buy legit ones just to install SP2 is quite
likely tiny - but the number of people running pirated ones that would end
up remaining insecure is much larger. This one *should* have been a no-brainer:
"We screwed up, our software sucked security-wise, and to make up for it,
we're giving out a freebie update for *everybody* and swallowing the profits
from the 23 people who would otherwise go legit just to install SP2".
> I really don't think you'll find much truck with the idea that Microsoft
> employees are happy to leave their mother's home machine, or those of the
> general public, open to infection.
Much would be explained by the thesis that the person(s) causing the
disconnect mentioned above don't have mothers... ;)
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists