[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200310311032.25076.jeremiah@nur.net>
From: jeremiah at nur.net (Jeremiah Cornelius)
Subject: Gates: 'You don't need perfect code' for good security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FLAME ON!
http://www.itbusiness.ca/index.asp?theaction=61&sid=53897
"But there are two other techniques: one is called firewalling and the other
is called keeping the software up to date. None of these problems (viruses
and worms) happened to people who did either one of those things. If you had
your firewall set up the right way - and when I say firewall I include
scanning e-mail and scanning file transfer -- you wouldn't have had a
problem. But did we have the tools that made that easy and automatic and that
you could really audit that you had done it? No. Microsoft in particular and
the industry in general didn't have it."
"The second is just the updating thing. Anybody who kept their software up to
date didn't run into any of those problems, because the fixes preceded the
exploit. Now the times between when the vulnerability was published and when
somebody has exploited it, those have been going down, but in every case at
this stage we've had the fix out before the exploit. So next is making it
easy to do the updating, not for general features but just for the very few
critical security things, and then reducing the size of those patches, and
reducing the frequency of the patches, which gets you back to the code
quality issues. We have to bring these things to bear, and the very dramatic
things that we can do in the short term have to do with the firewalls and the
updating infrastructure. "
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/oqq3Ji2cv3XsiSARAlkdAJ0aGkBViYkoE193iZycTmQZohzwbQCg1KDA
SjPLY1EEzamQCtIGKwJT1Vk=
=mIsY
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists