Re: Any software security news from the RSA conference?

["Mark D. Rockman" <m.rockman2 () verizon net>]

Any software change is bound to inconvenience sombody.  With Microsoft, I
find the problem is not that they make changes but that they make changes
WITHOUT properly announcing them.  For example, if they do make a change and
announce it at some conference, that gets the message to some small
percentage of the people who NEED to get the message.  Grandma and her
e-mail client and pictures of her grandkids is totally clueless and possibly
hostile towards detailed change information.  I'm not grandma.  I take pride
in knowing what is going on and can do so if only I am enabled to do so.

Mark Rockman, B.S., MCP
----- Original Message ----- 
From: "Alun Jones" <[EMAIL PROTECTED]>
To: "'ljknews'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Friday, February 27, 2004 18:58
Subject: RE: [SC-L] Any software security news from the RSA conference?


> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of ljknews
> > Sent: Friday, February 27, 2004 9:51 AM
> >
> > You must be thinking of a different Bill Gates than the one familiar
> > to me.  I am thinking of the one who announced a few years ago that
> > Microsoft would stop other activities for a month and fix
> > their security.
>
> I wonder if this is the same Bill Gates who then doubled that time off new
> development (note - he doesn't talk about security as a finished job), and
> mandates the reading of the book "Writing Secure Code", amongst other
> things.
>
> But Bill isn't the only person at Microsoft, and it's really important
that
> a large number of people at Microsoft "get it".  Bill's job, when he turns
> up to these things, is essentially to say whatever Microsoft's game plan
is,
> currently, not to impress us that he has found religion.  What's key is
the
> number of other people within Microsoft that "get security".  As a
Security
> MVP, I get to spend time with some of these people, and they really do
seem
> to have a clue - I should know, I fill their inboxes with whatever my
latest
> pontifications on security are, and I read the responses I get back very
> carefully.
>
> Microsoft has a lot of code to contend with, and much of it is old - so a
> lot of it has had to be scrubbed clean of imperfections, and some has had
to
> be re-written.  And yet, they're actually _doing_ it.  How many people are
> howling about the decision to remove the non-RFC http format that's used
by
> so many scammers and spammers?  How many people are going to howl that
> enabling the firewall by default in SP2 makes life "harder" for them?
There
> are some very tough decisions being made in the right direction here, I
> think.
>
> Alun.
> ~~~~
> -- 
> Texas Imperial Software   | Find us at http://www.wftpd.com or email
> 1602 Harvest Moon Place   | [EMAIL PROTECTED]
> Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
> Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.