funsec mailing list archives

Re: fog of cyberwar

From: Rich Kulawiec <rsk () gsp org>
Date: Sat, 23 Jan 2010 16:54:09 -0500

On Sat, Jan 23, 2010 at 08:34:16AM +0200, Gadi Evron wrote:

On 1/23/10 2:02 AM, Rich Kulawiec wrote:

Meanwhile, Microsoft has essentially unlimited personnel and financial
resources.  They could hire 500 top-notch staff tomorrow, pay them
out of petty cash, and completely rewrite IE with security as the
overarching design goal -- if they wanted to.  They could have done
so years ago -- if they wanted to.


Microsoft has put a lot into securing its code, and is very good at 
doing so.


I think there's a big disconnect between that and:

A whole month as the default response to patching a 0day? Really?


If they were actually interested in doing the right thing, and not
merely trying to be perceived as doing the right thing, then they
simply would not have allowed that month to elapse.  First, they would
have been ready for it (this is not the first 0-day), and second, they
would have pushed The Big Red Button which summons all available and
applicable personnel to work the issue 24x7 until resolved.

Other entities/projects do this, sometimes with mixed results
(e.g. not-quite-fixes) but they're clearly making the effort.
I do not see this effort from Microsoft: their fastest response
seems to come from their well-paid professional spokesliars.


I'll also put it this way: suppose you're right.  Suppose Microsoft
has put a lot into securing its code.  Whatever they're doing...it's
not working very well.  Because the number of zombies continues to
monotonically increase, just as it has for most of a decade.  Once again,
if Microsoft was serious about security, they would be taking corporate
responsibility for all those zombies and undertaking massive (and very,
very expensive) remediation efforts. They're not. They won't. They don't
even want to be in the same room with any mention of that problem, and
will deny it, obfuscate it, minimize it, anything but admit it.

If what they're doing was going to work, it would have worked by now.

---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: fog of cyberwar, (continued)
- - - Re: fog of cyberwar Vaughn, Randal L. (Jan 22)
    - Re: fog of cyberwar Dan Kaminsky (Jan 22)
    - Re: fog of cyberwar Gadi Evron (Jan 22)
    - Re: fog of cyberwar Dan Kaminsky (Jan 22)
    - Re: fog of cyberwar Gadi Evron (Jan 22)
    - Re: fog of cyberwar Joel Helgeson (Jan 23)
    - Re: fog of cyberwar Vaughn, Randal L. (Jan 22)
    - Re: fog of cyberwar Rich Kulawiec (Jan 22)
    - Re: fog of cyberwar Gadi Evron (Jan 22)
    - Re: fog of cyberwar phester (Jan 23)
    - Re: fog of cyberwar Rich Kulawiec (Jan 23)
    - Re: fog of cyberwar Gadi Evron (Jan 23)
    - Re: fog of cyberwar Jason Lewis (Jan 24)
    - Re: fog of cyberwar Dan White (Jan 24)
    - Re: fog of cyberwar phester (Jan 24)
    - Re: fog of cyberwar steve pirk [egrep] (Jan 24)
    - Re: fog of cyberwar Rich Kulawiec (Feb 01)
    - Re: fog of cyberwar Valdis . Kletnieks (Jan 23)
    - Re: fog of cyberwar Rich Kulawiec (Jan 24)
- Re: fog of cyberwar Amrit Williams (Jan 21)
- Re: fog of cyberwar Toralv_Dirro (Jan 22)

(Thread continues...)