[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200703210430.l2L4UBAB024883@neale.org>
Date: Wed, 21 Mar 2007 15:30:14 Australia/NSW
From: Neale Green <neale.green@...le.org>
To: <bugtraq@...urityfocus.com>, <vulnwatch@...nwatch.org>,
<full-disclosure@...ts.netsys.com>
Subject: RE: Your Opinion
FWIW,
My concerns in regard to this do not relate to the fact that Microsoft is
selling products to address security issues in its other products, they,
like all other major players, are in business for the revenue, if people
are prepared to pay for their products they will, if not they'll go
elsewhere for their security solutions, commercial or otherwise.
My concerns relate more to the long standing and excessively common
practice in Microsoft solutions to grant additional (and in regard to
Security issues, excessive) accesses to it's products and/or sites to
enhance the apparent performance of its products, against other products,
AND that most of these additional accesses are "below the covers", so
they are difficult to collate details for, and/or to block/control them.
Developers have/will always (in my experience) emply any mechanisms to
simplify processes and enhance performance, in MANY instances the risk to
the security and integrity of the environment in which it's deployed is
considerably increased by these practices, all the more so when it is
covered up my the operating system processes.
FWIW, this is just the opinion of a long standing security person, who's
been fgighting many vendors for a long time on these issues, not just
Microsoft.
Neale Green
> I have heard the comment "It's a huge conflict of interest" for one
> company to provide both an operating platform and a security platform"
> made by John Thompson (CEO Symantec) many times from many different
> people. See article below.
>
> http://www2.csoonline.com/blog_view.html?CID=32554
>
> In my personal opinion, regardless of the vendor, if they create an OS,
> why would it be a conflict of interest for them to want to protect their
> own OS from attack. One would assume that this is a responsible
> approach by the vendor, but one could also argue that their OS should be
> coded securely in the first place. If this were to happen then the need
> for the Symantec's, McAfee's of the world would some what diminsh.
>
> Anyway I am just curious as to what other people think.
>
> Thanks in advance
>
> Mark
>
>
> All mail to and from this domain is GFI-scanned.
>
>
> .....
>
>
> All mail to and from this domain is GFI-scanned.
>
Powered by blists - more mailing lists