RE: Industry group wants DHS agency to review deal with Microsoft (2 Messages)

[InfoSec News <isn () c4i org>]

Forwarded from: Brooks Isoldi <bjisoldi () acsu buffalo edu>

> Anyone subscribing to mailing lists like Bugtraq or the Secunia
> Security Advisories knows that there are hundreds of new
> vulnerabilities discovered every week in pretty much every
> application and operating system around.

        I beg to differ.  I think if you check how many remote-code
execution exploits there have been for OpenBSD, you will be hard
pressed to find more than a small handfull (one??).  I also think that
just because ALL software has had *SOME* bugs, doesn't mean we should
be content with just any of them.

        So under your reasoning, a home security system which has
systematically failed to protect the occupants of the home,
systematically failed to alert the proper authorities in time and
whose company has systematically failed to fix the problems, just
letting their clients get robbed, raped and murdered for years because
they don't *NEED* to fix the problems in order to keep making money;
should continue to be used, even by customers who are in DESPERATE
need of top-notch security, all because the companies security history
is irrelevant because they are the biggest company and therefore the
most targetted?  Come on...

When you buy a car...don't you take a look at the history of that line
of cars?  Have they been subject to faulty wiring, does it have a
history of blowing up, etc.  I will assume you are rational enough to
not be razzled and dazzled by the glitz and glamour that car companies
use to lure us in like sheep.



Brooks


-----Original Message-----
From: owner-isn () attrition org [mailto:owner-isn () attrition org]On 
Behalf
Of InfoSec News
Sent: Friday, August 29, 2003 4:20 AM
To: isn () attrition org
Subject: RE: [ISN] Industry group wants DHS agency to review deal with
Microsoft


Forwarded from: Tony | AVIEN / EWS <tony () avien org>

I agree with the point that it may be unwise to put ALL your eggs in
one basket, but I disagree with the stance that Microsoft's security
history should affect the decision.

Anyone subscribing to mailing lists like Bugtraq or the Secunia
Security Advisories knows that there are hundreds of new
vulnerabilities discovered every week in pretty much every application
and operating system around.

The reason that Microsoft is targeted for worms and viruses in my
opinion is not because their software is more vulnerable- it is
because of their marketshare. The malicious coders of the world want
to attack the most target-rich environment. If you are trying to
infect as many computers as possible then aiming for the home user
market, especially broadband users, provides a broader and easier
target than writing a worm or virus that attacks Linux operating
systems or Oracle databases.

[...]



Forwarded from: "Everist, Benjamin S. (NASWI)" <EveristB () naswi navy mil>

ISN Wrote:

<snip>

> ...I disagree with the stance that Microsoft's security history
> should affect the decision.

Any products security history should be considered when deciding to
deploy that product, -especially- Microsoft's - as vulnerabilities in
their product lines tend to have greater impact than others (precisely
for the reasons you have stated).

<snip>

> The malicious coders of the world want to attack the most
> target-rich environment. If you are trying to infect as many
> computers as possible then aiming for the home user market,
> especially broadband users, provides a broader and easier target
> than writing a worm or virus that attacks Linux operating systems or
> Oracle databases.

I would think this was a strong argument to consider other than a MS
platform, both for government and home users alike.

> If the DHS were to go with alternate applications and platforms they
> may very well still find themselves under the gun because of who
> they are and what they represent.

I believe you are correct that whatever platforms DHS deploys, they
will come under fire, from security professionals, press, malicious
attackers, etc.  However from a security standpoint, an exclusive
contract for MS platforms is a -bad- thing (and hence should be
criticized).  A homogenous network will only remove one layer of
defense that could otherwise mitigate a plethora of risk.

<snip>

Thanks,

Benjamin Everist




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.