Bugtraq mailing list archives
Re: Microsoft and Security
From: Valdis.Kletnieks () vt edu
Date: Fri, 09 Jul 2004 11:21:35 -0400
On Mon, 05 Jul 2004 16:10:36 PDT, Alun Jones <alun () texis com> said:
Microsoft employs people who care about producing good software. We're all indoctrinated from day one that our software is used by everyone - our parents, our neighbours, our children... It's perhaps a unique situation compared to producers of the other OSs, where the users are usually limited to particular sections of the community.
Yes, parts of Microsoft *are* trying to do better, but there's a limit to what any single programmer can achieve without some serious buy-in from high-level project leaders. Unfortunately, there's obviously a disconnect at *some* level, because they keep shipping software that's broken in very fundemental and recognized ways (the concept of "zoned", ActiveX, and other such stuff we've known for *YEARS* is a bad security idea). There's just too much lock-in to the concept that since your software is used by everyone, it has to have all sorts of bells and whistles to make life easier for everyone... ... including black hats. Be honest now - how many times in their career has the average Microsoft programmer been indoctrinated with "Be Featureful!", and how many times have they heard "Be security-minded paranoids!"? Remember to count double/triple scores for what they heard the first 6-9 months they were there and absorbed the culture. Proof that Microsoft still needs to re-educate some high-level people: the fact that there was *any* thought given to making SP2 only install on "legal" copies and locking out pirated copies. The number of people running pirated copies that actually will buy legit ones just to install SP2 is quite likely tiny - but the number of people running pirated ones that would end up remaining insecure is much larger. This one *should* have been a no-brainer: "We screwed up, our software sucked security-wise, and to make up for it, we're giving out a freebie update for *everybody* and swallowing the profits from the 23 people who would otherwise go legit just to install SP2".
I really don't think you'll find much truck with the idea that Microsoft employees are happy to leave their mother's home machine, or those of the general public, open to infection.
Much would be explained by the thesis that the person(s) causing the disconnect mentioned above don't have mothers... ;)
Attachment:
_bin
Description:
Current thread:
- RE: Microsoft and Security Alun Jones (Jul 05)
- RE: Microsoft and Security Radoslav Dejanovic (Jul 05)
- Re: Microsoft and Security Justin Wheeler (Jul 05)
- RE: Microsoft and Security Alun Jones (Jul 06)
- RE: Microsoft and Security David F. Skoll (Jul 06)
- Re: Microsoft and Security Adam Shostack (Jul 07)
- Re: Microsoft and Security Valdis . Kletnieks (Jul 09)
- Re: Microsoft and Security Charles Otstot (Jul 16)
- Re: Microsoft and Security Lucas Holt (Jul 18)
- RE: Microsoft and Security Alun Jones (Jul 06)