Firewall Wizards mailing list archives
Re: @Stake CTO fired for Microsoft comments
From: Roger Marquis <marquis () roble com>
Date: Mon, 29 Sep 2003 10:57:44 -0700 (PDT)
On 26/09/03 19:12 -0400, Claussen, Ken wrote:
with the Operating system itself (there have been numerous Root level compromises of other operating system) and more to do with the skill of the administrator.
This is factually incorrect. MS Windows, 2003 et al, are insecure in both default and hardened configurations. The vulnerabilities exist due to several well known design decisions: * leveraging of Windows' large and insecure legacy code base. * a dearth of code reviews relative to other OS. * lack of memory protection. * full-privilege processes, which could run in user-mode but don't in order to avoid context switching and its performance penalty. * proprietary hooks embedded throughout the OS to preserve MS' advantage over third party developers. * Perhaps most importantly are the business decisions which MS has made for many years, deemphasizing security for features and time-to-market. The most recent example of this is SOAP, _designed_ to bypass firewalls and already being exploited.
Let's tone down the rhetoric and get back to discussing security. I have seen people
Problem is neither Dan Geer nor Bruce Schneier have published anything resembling rhetoric. Neither did Brett Glass (<http://www.thetwowayweb.com/stories/storyReader$56>), or NPR which carries MS ads and, as a result, has never aired a story critical of the company. Much of the news Joe Public sees today is similarly toned-down. While this may benefit advertisers it ultimately dumb's down the system to the point where it is vulnerable (to spam, viruses, worms etc). Historical examples of what this can lead to include AMC, asbestos manufacturers, big tobacco, ... This sort of group-think and self-deception is examined in Daniel Goleman's "Vital Lies, Simple Truths - The Psychology of Self-Deception". Recommended reading for anyone in the business of information security. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- @Stake CTO fired for Microsoft comments Gwendolynn ferch Elydyr (Sep 26)
- Re: @Stake CTO fired for Microsoft comments Joseph S D Yao (Sep 26)
- Re: @Stake CTO fired for Microsoft comments Paul Robertson (Sep 26)
- Re: @Stake CTO fired for Microsoft comments Ryan M. Ferris (Sep 26)
- <Possible follow-ups>
- Re: @Stake CTO fired for Microsoft comments Mike Hoskins (Sep 28)
- Re: @Stake CTO fired for Microsoft comments Mark Teicher (Sep 28)
- RE: @Stake CTO fired for Microsoft comments Claussen, Ken (Sep 28)
- Re: @Stake CTO fired for Microsoft comments Devdas Bhagat (Sep 28)
- Re: @Stake CTO fired for Microsoft comments Roger Marquis (Sep 30)
- RE: @Stake CTO fired for Microsoft comments Frank Darden (Sep 30)
- Re: @Stake CTO fired for Microsoft comments Adam Shostack (Sep 30)
- Re: @Stake CTO fired for Microsoft comments Joseph S D Yao (Sep 26)