lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: tcleary2 at csc.com.au (tcleary2@....com.au)
Subject: M$ - so what should they do?

Valdis Kletnieks said:

>It's not as simple as "throw it out and start again" - what's feasible 
for a
>student's semester project or a small company's small software package 
isn't as
>feasible when it's one of the largest sets of intertwined code ever 
written....

And that's the main point - the enemy of security isn't any given 
company/package/platform.

It's complexity.

Complexity guarantees that there will be flaws, that might be exploited, 
in any product.

The only products with no reported vulnerabilities are small, low use 
products, and the main reason there aren't any reports is no-one's 
bothered to look.

It's a principle that no matter how much effort is put into attempting to 
achieve perfection, not just "six sigmas", it can't be achieved.

Without perfection no-one, not just Business, can risk a monoculture ( 
just ask the U.S. Wheat farming industry )

'Cos this isn't medicine, where "acceptable losses" can be estimated - who 
could guess the impact from a code flaw in the root servers? Or base code 
for HTTP handling? Or the privilege handling code in Windows?

I believe Microsoft are making genuine efforts to improve their code.

But even with billions in the bank to spend on it, they can't make it 
perfect.

And in order to trust that their code can run EVERYTHING, that's what it'd 
have to be.

The corollary, of course, is that I.T will become more expensive because 
people will have to bite the bullet and get people with more than one 
skillset, or more people.

Of course, they could outsource......  ;-)

Regards,

tom.
----------------------------------------------------------------------------------------
Tom Cleary - Security Architect

"In IT, acceptable solutions depend upon humans - Computers don't 
negotiate."
----------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please 
delete without copying and kindly advise us by e-mail of the mistake in 
delivery. NOTE: Regardless of content, this e-mail shall not operate to 
bind CSC to any order or other contract unless pursuant to explicit 
written agreement or government initiative expressly permitting the use of 
e-mail for such purpose.
----------------------------------------------------------------------------------------

Powered by blists - more mailing lists