RE: Your Opinion

["Jim Harrison" <Jim () isatools org>]

"..diversified too much.." - this is only partly true.  It's just as
accurate to state that too many cooks spoil the soup as it is to argue
that too few cooks accomplish the same.  Neither argument is
self-validating.  Likewise, "..companies that specialize and focus.." is
no more accurate than the previous statements.

If Microsoft were to specialize, the "powers that be" could easily
justify dropping their current payroll to the teams that produce the
surviving products.  Never make the assumption of "all those devs in one
pot"...  It just doesn't play out that way and frankly, isn't a
sustainable business model.  I'll bet that Symantec doesn't maintain a
payroll anything like what MS does.

"Sunlight is the best disinfectant.." sounds  suspiciously like "a
thousand eyes" - a theory that has not fully borne the fruit of its
supporters.  There are as many (if not more) vuln reports for OS
software as for MS products.  As I stated previously, the "sunlight" has
been provided via two separate, but similar legal decisions.

"Conflict of interest" is being redefined in some interesting ways
during this thread.  

-----Original Message-----
From: jay.tomas () infosecguru com [mailto:jay.tomas () infosecguru com] 
Sent: Monday, March 19, 2007 11:50 AM
To: AlexE () sunbelt-software com; Jim Harrison; Mark () ngssoftware com;
bugtraq () securityfocus com; vulnwatch () vulnwatch org;
full-disclosure () lists netsys com
Subject: RE: Your Opinion

I would add this angle as well.... Specialization. 

Its the reason that Microsoft is not Spectacular in anything. They have
diversified too much and thus have shortcoming in certain sectors. I
thinking having other companies that specialize and focus their efforts
in security add a separate layer to the overall mix. Its the reason that
Symantec and other vendors dont get into the Streaming Media,
Spreadsheet etc. arena. The have expertise in security.

I agree its a conflict to create the product and have 100% control of
compliance/QA of the security components. Sunlight is the best
disinfectant. When you control the whole process you can and will
prioritize security/patching releases. Can you imagine if there weren't
folks like David Litchfield and other diligent researchers how long it
would take to see patches.

Jay

----- Original Message -----
From: Alex Eckelberry [mailto:AlexE () sunbelt-software com]
To:
Jim () isatools org,Mark () ngssoftware com,bugtraq () securityfocus com,vulnwatc
h () vulnwatch org,full-disclosure () lists netsys com
Sent: Sat, 17 Mar 2007 13:20:44 -0400
Subject: RE: Your Opinion

Actually, I have a hard time understanding why it isn't a conflict of
interest -- at least in theory (perhaps not in practice). 

Security apps sell in direct proportion to infection rates, fear of
infection, etc.   

In the case of Msft, the more exploits they have in the browser, the
more security apps they can sell. 

The less secure the operating system is, the more the vendor can sell
security apps. 

And so on. 

Thompson is right, in that it is a theoretical conflict of interest.  I
suppose the real question is:  Is it the same from a practical
perspective.

Alex Eckelberry



 

-----Original Message-----
From: Jim Harrison [mailto:Jim () isatools org] 
Sent: Friday, March 16, 2007 6:55 PM
To: Mark Litchfield; bugtraq () securityfocus com; vulnwatch () vulnwatch org;
full-disclosure () lists netsys com
Subject: RE: Your Opinion

Thanx, Mark

One phrase; "consider the source".

The expert participant in this interview is (catch me before I faint) -
Symantec CEO John Thompson.  Symantec and other security vendors have
had more than ample opportunity to get in this game and it wasn't until
Vista hit the Beta track that Symantec folks even started noticing that
their hooks were (re)moved.  It's a potentially questionable process
that uses the same mechanisms as the malware they seek to defend
against.  Yes, I know; "think like a criminal"...

I agree that functional and security patches should be free (and they
are), but software packages to protect Jo(sephin)e User from their
propensity for digital self-abuse should be sold.  You want me to
protect you from your own actions? - pay me.  This is the basis for most
consultant businesses.  The argument that the OS vender shouldn't "get
into the security game" is self-serving at best (remember the source?).
Thanks to recent EU and DoJ decisions, no one can argue that "they don't
have access to the same information as MS teams".  This is freely
available on MSDN and if you want protocol specifics, to anyone willing
to sign a licensing agreement with MS.

IMHO, he's just plain wrong and is only making "they're being
meanie-poo-poo-heads" noises.

Jim

-----Original Message-----
From: Mark Litchfield [mailto:Mark () ngssoftware com]
Sent: Friday, March 16, 2007 11:49 AM
To: bugtraq () securityfocus com; vulnwatch () vulnwatch org;
full-disclosure () lists netsys com
Subject: Your Opinion

I have heard the comment "It's a huge conflict of interest" for one
company to provide both an operating platform and a security platform"
made by John Thompson (CEO Symantec) many times from many different
people.  See article below.

http://www2.csoonline.com/blog_view.html?CID=32554

In my personal opinion, regardless of the vendor, if they create an OS,
why would it be a conflict of interest for them to want to protect their
own OS from attack.  One would assume that this is a responsible
approach by the vendor, but one could also argue that their OS should be
coded securely in the first place.  If this were to happen then the need
for the Symantec's, McAfee's of the world would some what diminsh.

Anyway I am just curious as to what other people think.

Thanks in advance

Mark 


All mail to and from this domain is GFI-scanned.


....


All mail to and from this domain is GFI-scanned.