nanog mailing list archives

Re: Anyone see a game changer here?

From: Gadi Evron <ge () linuxbox org>
Date: Sat, 23 Jan 2010 08:32:20 +0200

On 1/23/10 6:08 AM, Steven Bellovin wrote:

I think that that's wishful thinking.  IE has fewer security problems because Microsoft has put a tremendous amount of effort -- and often 
fought its own developers -- in a disciplined software development environment with careful, structured security reviews by people who have the 
power to say "no, you can't ship this".  They've also put a lot of effort into building and using security tools.  (For 
earlier comments by me on this subject, see http://www.cs.columbia.edu/~smb/blog/2009-04/2009-04-29.html)

I'm not a fan of Windows.  I think it's ugly and bloated, and I don't like it as a user environment.  I'm typing this on a Mac 
(which I like for its JFW properties, not its security; I do not think it is more secure than Vista or Windows 7); I'm also a heavy user -- and 
a developer -- of NetBSD.  If the world suddenly switched its OS of choice away from Windows, I wouldn't weep.  But I also would and do hope 
that the other platforms, be they open or closed source, would learn from what Bill Gates has done well.

Microsoft has put a lot into securing its code, and is very good atdoing so.

My main argument here is about the policy of handling vulnerabilitiesfor 6 months without patching (such as this one apparently was) and thepolicy of waiting a whole month before patching an in-the-wild 0day exploit.

Microsoft is the main proponent of responsible disclosure, and has shownit is a responsible vendor. Also, patching vulnerabilities is far fromeasy, and Microsoft has done a tremendous job at getting it done. Isimply call on it to stay responsible and amend its faulty and dangerouspolicies. A whole month as the default response to patching a 0day? Really?

With their practical monopoly, and the resulting monoculture, perhapstheir policies ought to be examined for regulation as criticalinfrastructure, if they can't bring themselves to be more responsible ontheir own.

This is the first time in a long while that I find it fit to criticizeMicrosoft on security. Perhaps they have grown complacent with the PRnightmare of full disclosure a decade behind them, with mostvulnerabilities now "sold" to them directly or indirectly by thesecurity industry.


        Gadi.



--
Gadi Evron,
ge () linuxbox org.

Blog: http://gevron.livejournal.com/

Current thread:

Re: Anyone see a game changer here?, (continued)
- - - Re: Anyone see a game changer here? tvest (Jan 15)
    - Re: Anyone see a game changer here? Fred Baker (Jan 15)
    - RE: Anyone see a game changer here? Warren Bailey (Jan 15)
    - Re: Anyone see a game changer here? Gadi Evron (Jan 21)
    - Re: Anyone see a game changer here? James Hess (Jan 21)
    - Re: Anyone see a game changer here? Bruce Williams (Jan 21)
    - Re: Anyone see a game changer here? Steven Bellovin (Jan 22)
    - Re: Anyone see a game changer here? William Pitcock (Jan 22)
    - Re: Anyone see a game changer here? Brielle Bruns (Jan 22)
    - Re: Anyone see a game changer here? Steven Bellovin (Jan 22)
    - Re: Anyone see a game changer here? Gadi Evron (Jan 22)
    - Re: Anyone see a game changer here? gordon b slater (Jan 21)
    - Re: Anyone see a game changer here? Valdis . Kletnieks (Jan 22)
    - Re: Anyone see a game changer here? Damian Menscher (Jan 23)
    - Re: Anyone see a game changer here? Gadi Evron (Jan 23)
    - Re: Anyone see a game changer here? Gadi Evron (Jan 23)
    - Re: Anyone see a game changer here? Damian Menscher (Jan 23)
    - Re: Anyone see a game changer here? Gadi Evron (Jan 24)
    - RE: Anyone see a game changer here? Keith Medcalf (Jan 16)
- Re: Anyone see a game changer here? andrew.wallace (Jan 16)
  - Re: Anyone see a game changer here? Joe Greco (Jan 16)

(Thread continues...)