[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <04Apr8.093402cest.118642@fd.hif.hu>
From: adam at hif.hu (Szilveszter Adam)
Subject: Vulnerability response times -- MS and others
hggdh wrote:
> Anyways... the report seems to indicate that Microsoft is the fastest
> on solving security issues.
>
> Comments?
While not reading the report does not allow me to make qualified
comments (and the statements for/by the press that are to be quoted in
the news headlines are to be taken with extreme amount of salt), I'd
wager that this is one more result of the latter-day MS push to
establish their security propaganda PR-wise. While there is some tech
details to it that has merit, they usually do not talk to the press (or
conference attendees or the like) about that since that would throw most
people off by immersing them in details that are waaay above their
heads and also leave them with the gaping suspicion that nothing is
truly secure, when what they want is the *belief* that once they do this
or that they will be secure from all threats. So in these venues, MS has
adopted the following stance (I know because I managed to observe this
live at an IDC-organised road show here in Budapest some weeks ago):
- They now send someone who has "security" somewhere in his title to
these events. No more marketing execs or product managers.
- No more inflammatory rheotric about eg the GPL being un-American or a
"cancer" or a threat to national security. Semmingly calm and
professional tone, uninterested in OS wars.
- Cite external reviews about how important security in general is. Do
not miss out on viruses, worms, crack attempts, not even on "insider
jobs" in organisations.
- Cite external reviews on how malware authors for ex are no longer
doing it for the fun and the fame but for material gain.
- Explain how hard MS has been pushing security since the last nn years,
citing the BG memo of "stop all coding and go to security bootcamp" as
example (still) Cite stats to show how the results of this are already
showing for w2k3.
- Use hand-weaving to signal in the general direction of some
technologies that will appear in the next generation of windows. No
details, no controversial issues, no explanations.
- Use scenarios to show how these technologies will be better protecting
you from some of *today's* *known* threats (and do not even mention that
those threats might be totally or largely unimportant by the time. Think
boot-sector viruses)
- Inidicate that with MS, there is a team that you can trust and not
some random hacker in China who will commit some sneak fix after
midnight. (I think the "Chinese hacker" part is especially effective -
outside of China of course, there they probably use something else like
"some unknown US hacker" :-) - because of the "latent fear of the
unknown" factor, even playing with racist sentiments in the meantime)
- For good measure they throw in some fake stats like the "how many
advisories does RH have for things like setgid games priviledge
elevation in frozen bubble?" implying that on RH, those too are part of
the base offering that RH sells, unlike with windows third-party
software. They know and like the mi2g report too.
- The "trust us, we are pros" attitude usually works: since people still
often think that malware etc is like the rain: a fact of life that you
have to accept as is and there is no protection against it, they will be
content to know that somebody will be selling automatic umbrellas in
nice colors. If somebody stands up and poses (or tries to) tough
questions at this point, he will look like an extremist and not believed to.
It works. Works much better than when Mr. Ballmer went on record flaming
against open-source. It is a challange to counter it.
Regards:
Sz.
Powered by blists - more mailing lists