Perhaps in deference to Microsoft, the oft-used "Our products were not designed for security" quote should be supplied with some additional context. Much of their code was written **for manageability**, at a time when one of the driving market forces was maintaining some kind of centralized control in a corporate environment where the computing horsepower was just moving from the server (or as it was called at the time, the "mainframe") to the users' desktops. So the systems open at the "back end", intentionally and by design, to facilitate a degree of remote monitoring and control by the "good guys". Unfortunately, when everyone hooked up to the Net, the software wasn't brainy enough to tell them apart from the "bad guys".

It is rather interesting that one of the shifts favored by Microsoft (and others) is a return of the meat-and-potatoes processing back into a locked glass house under the mantra of "Web services".

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/127/17265#17265