lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: rob at sara.nl (Rob Dijkshoorn)
Subject: Vulnerability response times -- MS and others


-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Szilveszter
Adam
Sent: donderdag 8 april 2004 9:33
To: LC
Subject: Re: [Full-Disclosure] Vulnerability response times -- MS and
others


hggdh wrote:

> Anyways... the report seems to indicate that Microsoft is the fastest 
> on solving security issues.
> 
> Comments?

- Inidicate that with MS, there is a team that you can trust and not 
some random hacker in China who will commit some sneak fix after 
midnight. (I think the "Chinese hacker" part is especially effective - 
outside of China of course, there they probably use something else like 
"some unknown US hacker" :-) - because of the "latent fear of the 
unknown" factor, even playing with racist sentiments in the meantime)

One should be careful trusting code from whatever company, organisation
or person. Unless you wrote all the code yourself, thus knowing its
inner workings well, no trust should be placed in code from others.
Ken Thomson understood this in 1983 (if I am correct, I could be a
couple years off), and unfortunately his observations still apply today.
There is little trust to be placed in source code. 

Either MS fails to understand this, or they are blind to the problem
(either intentionally or unintentionally). Fact is that loads of
universities, countries and other organisations have access to the
Windows source code. Besides that, MS has a large development center in
India, and of course a lot of programmers in redmond. Apparently
Microsoft is willing to place their complete trust in all those
programmers. However, there is no guarantee that Microsofts "trusted"
programmers will behave any better with respect to the creation of
Easter Eggs, hidden backdoors or other interesting undocumented remote
administration features.  

Perhaps the question should be: "Do you place more trust in software
created by a company with a hideous security track record that is
operated on a for-profit basis than you place trust in software created
by a group of people for fun/reputation/need/whatever which source code
you can audit?" Remember that in the end, Microsoft (and any other
commercial software vendor) is motivated by its own commercial
interests, which may or may not happen to coincide with yours. (Though I
realise the same applies to open source software, however one can use
the source to take the package in an alternate direction). 

Regards,
Rob 


Powered by blists - more mailing lists