nanog mailing list archives
Re: What could have been done differently?
From: "Steven M. Bellovin" <smb () research att com>
Date: Tue, 28 Jan 2003 21:00:48 -0500
In message <20030129014651.GB80965 () darkuncle net>, Scott Francis writes:
There's a difference between having the occasional bug in one's software (Apache, OpenSSH) and having a track record of remotely exploitable vulnerabilities in virtually EVERY revision of EVERY product one ships, on the client-side, the server side and in the OS itself. Microsoft does not care about security, regardless of what their latest marketing ploy may be. If they did, they would not be releasing the same exact bugs in their software year after year after year.
They do have a lousy track record. I'm convinced, though, that they're sincere about wanting to improve, and they're really trying very hard. In fact, I hope that some other vendors follow their lead. My big worry isn't the micro-issues like buffer overflows -- it's the meta-issue of an overall too-complex architecture. I don't think they have a handle on that yet. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book)
Current thread:
- RE: What could have been done differently?, (continued)
- RE: What could have been done differently? Drew Weaver (Jan 28)
- RE: What could have been done differently? Ray Burkholder (Jan 28)
- Re: What could have been done differently? Iljitsch van Beijnum (Jan 28)
- Re: What could have been done differently? Scott Francis (Jan 28)
- Re: What could have been done differently? Iljitsch van Beijnum (Jan 29)
- Re: What could have been done differently? just me (Jan 29)
- Re: What could have been done differently? Scott Francis (Jan 29)
- Re: What could have been done differently? just me (Jan 29)
- Re: What could have been done differently? Scott Francis (Jan 29)
- Message not available
- Re: What could have been done differently? Scott Francis (Jan 30)
- Re: What could have been done differently? Scott Francis (Jan 28)
- Re: What could have been done differently? Scott Francis (Jan 28)
- Re: What could have been done differently? Brian Wallingford (Jan 28)
- Bell Labs or Microsoft security? Sean Donelan (Jan 29)
- Re: Bell Labs or Microsoft security? Richard A Steenbergen (Jan 29)
- Re: Bell Labs or Microsoft security? Marshall Eubanks (Jan 29)
- Re: Bell Labs or Microsoft security? Richard A Steenbergen (Jan 29)
- Re: Bell Labs or Microsoft security? Florian Weimer (Jan 29)