Security Incidents mailing list archives
RE: Releasing patches is bad for security
From: "Davis, Kyle" <kydavis () ufl edu>
Date: Tue, 2 Mar 2004 10:30:18 -0500
I think MS, instead of cleaning up legacy code, is focusing more on integrating longhorn et. al with hardware DRM (it's like killing fifty birds with one stone, in their eyes) Just my 2 cents :> k. -----Original Message----- From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] Sent: Monday, March 01, 2004 12:28 PM To: Joe Miller Cc: Chris Brenton; incidents () securityfocus com Subject: Re: Releasing patches is bad for security On Sat, 28 Feb 2004 14:48:37 EST, Joe Miller <joseph-p-miller () cox net> said:
I would hope MS has hundreds of the brightest software engineers
specifically
focused on finding security flaws in all of their software. They should
also
hire third party security engineers to do the same until all security
holes are
discovered, code rewrites planned, designed and deployed before the
company
chokes to death on it's own mistakes. They certainly have enough liquid
assets
to do so.
What bottom-line profit motive is there for Microsoft to do so? Remember that a corporation's fiduciary responsibility is to *the bottom line*, not to their customers(*). There's no reason for Microsoft to spend $100M or whatever on security, unless there's reasonable expectation of a payback on the bottom line. In fact, spending $100M *without* any expectation of payback is likely to get you the target of a shareholder lawsuit. (*) If you don't believe me, read their EULA - they disclaim all responsibility for their code quality, and have somewhere near zero obligation to you as a customer. If you want to get rid of your current Microsoft account rep, ask him about indemnification from them, and watch them die laughing....
They also have enough cash to then hire the brightest security and
software
engineers to develop OS's and Applications while incorporating security
specs,
reasonable care and due diligence. Developing the security controls with
the OS
and applications is the only way Microsoft will survive as a software
company
of the future.
Well, *now* they're spending the money, because they can find a business case for doing so - "If we don't do something, users will bail out to open-source solutions that aren't hacked into on a daily basis". The problem now is that security isn't something you can bolt on after the fact, and a *lot* of the WinXP code is legacy code from Win/NT (proven by the number of exploits that work clear across NT to XP, often with the same offsets even). --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- RE: Releasing patches is bad for security Mike Barushok (Mar 01)
- <Possible follow-ups>
- Re: Releasing patches is bad for security Valdis . Kletnieks (Mar 01)
- RE: Releasing patches is bad for security Dozal, Tim (Mar 02)
- RE: Releasing patches is bad for security Jerry Shenk (Mar 02)
- Re: Releasing patches is bad for security Valdis . Kletnieks (Mar 03)
- RE: Releasing patches is bad for security Davis, Kyle (Mar 02)
- RE: Releasing patches is bad for security Dozal, Tim (Mar 03)
- RE: Releasing patches is bad for security James P. Saveker (Mar 03)
- RE: Releasing patches is bad for security Dozal, Tim (Mar 03)
- Dead Thread: Releasing patches is bad for security Dan Hanson (Mar 03)