nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What could have been done differently?

From: "Steven M. Bellovin" <smb () research att com>
Date: Tue, 28 Jan 2003 21:00:48 -0500

In message <20030129014651.GB80965 () darkuncle net>, Scott Francis writes:





There's a difference between having the occasional bug in one's software
(Apache, OpenSSH) and having a track record of remotely exploitable
vulnerabilities in virtually EVERY revision of EVERY product one ships, on
the client-side, the server side and in the OS itself. Microsoft does not
care about security, regardless of what their latest marketing ploy may be.
If they did, they would not be releasing the same exact bugs in their
software year after year after year.



They do have a lousy track record.  I'm convinced, though, that
they're sincere about wanting to improve, and they're really trying
very hard.  In fact, I hope that some other vendors follow their
lead.  My big worry isn't the micro-issues like buffer overflows
-- it's the meta-issue of an overall too-complex architecture.  I
don't think they have a handle on that yet.



                --Steve Bellovin, http://www.research.att.com/~smb (me)
                http://www.wilyhacker.com (2nd edition of "Firewalls" book)
Previous By Date Next
Previous By Thread Next

Current thread: