| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: adam at hif.hu (Szilveszter Adam) Subject: Vulnerability response times -- MS and others hggdh wrote: > Anyways... the report seems to indicate that Microsoft is the fastest > on solving security issues. > > Comments? While not reading the report does not allow me to make qualified comments (and the statements for/by the press that are to be quoted in the news headlines are to be taken with extreme amount of salt), I'd wager that this is one more result of the latter-day MS push to establish their security propaganda PR-wise. While there is some tech details to it that has merit, they usually do not talk to the press (or conference attendees or the like) about that since that would throw most people off by immersing them in details that are waaay above their heads and also leave them with the gaping suspicion that nothing is truly secure, when what they want is the *belief* that once they do this or that they will be secure from all threats. So in these venues, MS has adopted the following stance (I know because I managed to observe this live at an IDC-organised road show here in Budapest some weeks ago): - They now send someone who has "security" somewhere in his title to these events. No more marketing execs or product managers. - No more inflammatory rheotric about eg the GPL being un-American or a "cancer" or a threat to national security. Semmingly calm and professional tone, uninterested in OS wars. - Cite external reviews about how important security in general is. Do not miss out on viruses, worms, crack attempts, not even on "insider jobs" in organisations. - Cite external reviews on how malware authors for ex are no longer doing it for the fun and the fame but for material gain. - Explain how hard MS has been pushing security since the last nn years, citing the BG memo of "stop all coding and go to security bootcamp" as example (still) Cite stats to show how the results of this are already showing for w2k3. - Use hand-weaving to signal in the general direction of some technologies that will appear in the next generation of windows. No details, no controversial issues, no explanations. - Use scenarios to show how these technologies will be better protecting you from some of *today's* *known* threats (and do not even mention that those threats might be totally or largely unimportant by the time. Think boot-sector viruses) - Inidicate that with MS, there is a team that you can trust and not some random hacker in China who will commit some sneak fix after midnight. (I think the "Chinese hacker" part is especially effective - outside of China of course, there they probably use something else like "some unknown US hacker" :-) - because of the "latent fear of the unknown" factor, even playing with racist sentiments in the meantime) - For good measure they throw in some fake stats like the "how many advisories does RH have for things like setgid games priviledge elevation in frozen bubble?" implying that on RH, those too are part of the base offering that RH sells, unlike with windows third-party software. They know and like the mi2g report too. - The "trust us, we are pros" attitude usually works: since people still often think that malware etc is like the rain: a fact of life that you have to accept as is and there is no protection against it, they will be content to know that somebody will be selling automatic umbrellas in nice colors. If somebody stands up and poses (or tries to) tough questions at this point, he will look like an extremist and not believed to. It works. Works much better than when Mr. Ballmer went on record flaming against open-source. It is a challange to counter it. Regards: Sz.
Powered by blists - more mailing lists