Full Disclosure mailing list archives
Re: Perhaps it's time to regulate Microsoft as Critical Infrastructure?
From: Rohit Patnaik <quanticle () gmail com>
Date: Sun, 24 Jan 2010 12:53:03 -0600
The problem with regulating Microsoft as critical infrastructure is that it simply entrenches the existing monoculture and all the problems that it entails. To really improve our position regarding security, the government ought to encourage greater diversity and openness in the OS market. Placing operating systems under formal regulation would have the opposite effect. It would increase the barriers to entry, discouraging diversity. In effect, this proposal will formalize Windows as the official OS of the federal government. Second, unless the government extends its regulation to cover all consumers, there will be little to no improvement in security. The vast majority of exploited bugs are not 0-day vulnerabilities. They are bugs that have been discovered and patched. The problem is that the consumer has not applied the patch. If the government really wanted to improve computer security, they'd mandate that citizens keep up with patches to their operating system and applications. Such a mandate would have a far greater immediate impact than any regulation of Microsoft or any other OS vendor. -- Rohit Patnaik On Sat, Jan 23, 2010 at 12:57 AM, Gadi Evron <ge () linuxbox org> wrote:
[I have given this some thought, edited my argument, and am moving this message to its own thread.] Microsoft has put a lot into securing its code, and is very good at doing so. However, is it doing enough? My main argument is about the policy of handling vulnerabilities for 6 months without patching (such as the Google attacks 0day apparently was) and the policy of waiting a whole month before patching this very same vulnerability when it first became an in-the-wild 0day exploit (it has now been patched, ahead of schedule). Microsoft is the main proponent of responsible disclosure, and has shown it is a responsible vendor. Also, patching vulnerabilities is far from easy, and Microsoft has done a tremendous job at getting it done. I simply call on it to stay responsible and amend its faulty and dangerous policies. A whole month as the default response to patching a 0day? Really? With their practical monopoly, and the resulting monoculture, perhaps their policies ought to be examined for regulation as critical infrastructure, if they can't bring themselves to be more responsible on their own. This is the first time in a long while that I find it fit to criticize Microsoft on security. Perhaps they have grown complacent with the PR nightmare of full disclosure a decade behind them, with most vulnerabilities now "sold" to them directly or indirectly by the security industry. Gadi. -- Gadi Evron, ge () linuxbox org. Blog: http://gevron.livejournal.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Perhaps it's time to regulate Microsoft as Critical Infrastructure? Gadi Evron (Jan 24)
- Re: Perhaps it's time to regulate Microsoft as Critical Infrastructure? Rohit Patnaik (Jan 24)
- Re: Perhaps it's time to regulate Microsoft as Critical Infrastructure? Bipin Gautam (Jan 24)
- Re: Perhaps it's time to regulate Microsoft as Critical Infrastructure? Christian Sciberras (Jan 24)
- Re: Perhaps it's time to regulate Microsoft as Critical Infrastructure? Bipin Gautam (Jan 24)
- Re: Perhaps it's time to regulate Microsoft as Critical Infrastructure? Christian Sciberras (Jan 24)
- Re: Perhaps it's time to regulate Microsoft as Critical Infrastructure? Bipin Gautam (Jan 24)
- Re: Perhaps it's time to regulate Microsoft as Critical Infrastructure? Bipin Gautam (Jan 24)
- Re: Perhaps it's time to regulate Microsoft as Critical Infrastructure? Rohit Patnaik (Jan 24)
- Re: Perhaps it's time to regulate Microsoft as Critical Infrastructure? omg wtf (Jan 25)
- Re: Perhaps it's time to regulate Microsoft as Critical Infrastructure? Rafael Moraes (Jan 25)
- Re: Perhaps it's time to regulate Microsoft as Critical Infrastructure? Rafael Moraes (Jan 25)
- Re: Perhaps it's time to regulate Microsoft as Critical Infrastructure? Valdis . Kletnieks (Jan 25)
- Re: Perhaps it's time to regulate Microsoft as Critical Infrastructure? Christian Sciberras (Jan 25)