lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: nick at (Nick FitzGerald)
Subject: Support the Sasser-author fund started

"Shane C. Hage" to Bill Royds:

> I agree with most of your statements below.  

Well, actually, he was wrong if you consider the NT family of OSes 
starting in about 1993-4 (true, OOTB they were configured to be "fully 
Win 3.x compatible" -- that is, with all security disabled/dumbed down
-- but the underlying architecture design at least met most of the 
minimum criteria for C2...).

> ...  However, with competing
> operating systems such as those you mentioned below plus OS/2 and Apple
> Macintosh in the 1980's, the business leaders and consumers chose Windows.
> I think people forget that Microsoft must have filled a gap that these other
> operating systems didn't.  ...

They beat OS/2 on installation ease (_great_ OS, dog of an install, 
even on some IBM hardware) and Apple by running on "any old crud" (and 
therefore very cheap) hardware (and the market size then contributed 
further to the PC harder getting much cheaper, much faster than Apple 
would allow/could match) with its proprietary hardware/OS lock-in.

> ...  How can we blame Microsoft for capitalizing on
> the need at the time?


They sold completely insecurable products into large -- real large; I 
recall Ford being "poster boy" for _Win95_ fercrissakes -- markets to 
make sure they got market penetration, when (if they had any integrity 
or could have been at all objective about the product they'd either 
have pushed NT _or not even tried_ for the sale).  Of course, some folk 
at Ford and many other large corporates that made the same mistake have 
a lot to answer for too...

> When the Internet revolution started, there was no way to predict the
> magnitude that a malicious program could have across the world.  ...

Bollox -- the Morris Worm had already showed us what could be achieved.

Are we really so dense that we need weekly to monthly replays on a 
slightly different scale, and with slightly different attack vectors, 
before we can learn anything from such "attacks"?

Or did the all-out greed fuelled by the contemporaneous dot-com bubble 
cloud some folks' judgement?

> ...  Sure,
> Microsoft is playing catch-up with security.  They are just filling the gap
> in their own products now.

The trouble with that approach is that there is just not enough spackle 
in the world for them to achieve that goal any time soon.  So, what do 
they do?  What they've always done -- continuing with "business as 
usual"; spin, spin, spin.

Seems to have worked for you...

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists