funsec mailing list archives
Re: fog of cyberwar
From: Rich Kulawiec <rsk () gsp org>
Date: Sat, 23 Jan 2010 16:54:09 -0500
On Sat, Jan 23, 2010 at 08:34:16AM +0200, Gadi Evron wrote:
On 1/23/10 2:02 AM, Rich Kulawiec wrote:Meanwhile, Microsoft has essentially unlimited personnel and financial resources. They could hire 500 top-notch staff tomorrow, pay them out of petty cash, and completely rewrite IE with security as the overarching design goal -- if they wanted to. They could have done so years ago -- if they wanted to.Microsoft has put a lot into securing its code, and is very good at doing so.
I think there's a big disconnect between that and:
A whole month as the default response to patching a 0day? Really?
If they were actually interested in doing the right thing, and not merely trying to be perceived as doing the right thing, then they simply would not have allowed that month to elapse. First, they would have been ready for it (this is not the first 0-day), and second, they would have pushed The Big Red Button which summons all available and applicable personnel to work the issue 24x7 until resolved. Other entities/projects do this, sometimes with mixed results (e.g. not-quite-fixes) but they're clearly making the effort. I do not see this effort from Microsoft: their fastest response seems to come from their well-paid professional spokesliars. I'll also put it this way: suppose you're right. Suppose Microsoft has put a lot into securing its code. Whatever they're doing...it's not working very well. Because the number of zombies continues to monotonically increase, just as it has for most of a decade. Once again, if Microsoft was serious about security, they would be taking corporate responsibility for all those zombies and undertaking massive (and very, very expensive) remediation efforts. They're not. They won't. They don't even want to be in the same room with any mention of that problem, and will deny it, obfuscate it, minimize it, anything but admit it. If what they're doing was going to work, it would have worked by now. ---Rsk _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: fog of cyberwar, (continued)
- Re: fog of cyberwar Vaughn, Randal L. (Jan 22)
- Re: fog of cyberwar Dan Kaminsky (Jan 22)
- Re: fog of cyberwar Gadi Evron (Jan 22)
- Re: fog of cyberwar Dan Kaminsky (Jan 22)
- Re: fog of cyberwar Gadi Evron (Jan 22)
- Re: fog of cyberwar Joel Helgeson (Jan 23)
- Re: fog of cyberwar Vaughn, Randal L. (Jan 22)
- Re: fog of cyberwar Rich Kulawiec (Jan 22)
- Re: fog of cyberwar Gadi Evron (Jan 22)
- Re: fog of cyberwar phester (Jan 23)
- Re: fog of cyberwar Rich Kulawiec (Jan 23)
- Re: fog of cyberwar Gadi Evron (Jan 23)
- Re: fog of cyberwar Jason Lewis (Jan 24)
- Re: fog of cyberwar Dan White (Jan 24)
- Re: fog of cyberwar phester (Jan 24)
- Re: fog of cyberwar steve pirk [egrep] (Jan 24)
- Re: fog of cyberwar Rich Kulawiec (Feb 01)
- Re: fog of cyberwar Valdis . Kletnieks (Jan 23)
- Re: fog of cyberwar Rich Kulawiec (Jan 24)