RE: Releasing patches is bad for security

["Davis, Kyle" <kydavis () ufl edu>]

I think MS, instead of cleaning up legacy code, is focusing more on
integrating longhorn et. al with hardware DRM  (it's like killing fifty
birds with one stone, in their eyes)

Just my 2 cents :>


k.

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
Sent: Monday, March 01, 2004 12:28 PM
To: Joe Miller
Cc: Chris Brenton; incidents () securityfocus com
Subject: Re: Releasing patches is bad for security 

On Sat, 28 Feb 2004 14:48:37 EST, Joe Miller <joseph-p-miller () cox net>
said:

> I would hope MS has hundreds of the brightest software engineers
specifically
> focused on finding security flaws in all of their software.  They should
also
> hire third party security engineers to do the same until all security
holes are
> discovered, code rewrites planned, designed and deployed before the
company
> chokes to death on it's own mistakes. They certainly have enough liquid
assets
> to do so.

What bottom-line profit motive is there for Microsoft to do so?

Remember that a corporation's fiduciary responsibility is to *the bottom
line*,
not to their customers(*).  There's no reason for Microsoft to spend $100M
or
whatever on security, unless there's reasonable expectation of a payback on
the
bottom line.  In fact, spending $100M *without* any expectation of payback
is
likely to get you the target of a shareholder lawsuit.

(*) If you don't believe me, read their EULA - they disclaim all
responsibility
for their code quality, and have somewhere near zero obligation to you as a
customer. If you want to get rid of your current Microsoft account rep, ask
him
about indemnification from them, and watch them die laughing....

> They also have enough cash to then hire the brightest security and
software
> engineers to develop OS's and Applications while incorporating security
specs,
> reasonable care and due diligence. Developing the security controls with
the OS
> and applications is the only way Microsoft will survive as a software
company
> of the future.

Well, *now* they're spending the money, because they can find a business
case
for doing so - "If we don't do something, users will bail out to open-source
solutions that aren't hacked into on a daily basis".

The problem now is that security isn't something you can bolt on after the
fact, and a *lot* of the WinXP code is legacy code from Win/NT (proven by
the
number of exploits that work clear across NT to XP, often with the same
offsets
even).


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------