, 2003-11-24
Microsoft deserves praise for offering a cash reward to catch people who criminally exploit their bugs.
Expand all |
Post comment
Hats Off To Mullen
2003-11-24
MULLET HEAD (1 replies)
MULLET HEAD (1 replies)
Hats Off To Mullen
2003-11-25
Anonymous (2 replies)
Anonymous (2 replies)
Hi, Sweetheart!
2003-11-25
Penguinisto (1 replies)
Penguinisto (1 replies)
Busting the Worm Writers
2003-11-24
Anonymous (1 replies)
Anonymous (1 replies)
Life... anyone!?
2003-11-25
Anonymous (3 replies)
Anonymous (3 replies)
How old is Mullen?
2003-11-27
Please do not use HTML in your replies. HTML tags will be filtered. (1 replies)
Please do not use HTML in your replies. HTML tags will be filtered. (1 replies)
I used to read your articles for their technical content. That is a habit I have broken. More often than not, I find myself reading them because of how incredibly humorous said reading turns out to be.
Stating that security vulnerabilities are a fact of life is a far more shallow assumption than the ones you critique in your article.
First off, it is possible and feasible to write a project (e.g, qmail, djbdns) that has decent quality control such that there *aren't* vulnerabilities. All that requires is a mentality that focuses on code quality. Sadly, Microsoft will never achieve this mentality, and as such will eventually fall to the ground like the monopolies before it. The great thing is that I will hopefully live to see it.
Second, even if we were to buy into the fact that vulnerabilities exist, they should be an exception to the rule, rather than a fact of life. Why do we see over a hundred vulnerabilities a year addressed by MS? Because MS cannot audit code, and its developers cannot write code securely. I would accept an occasional bug, but allowing MS such a good excuse simply *ensures* that its code will remain forever insecure.
Third, Microsoft can very easily mitigate these vulnerabilities such that worms like Blaster don't happen. If Microsoft had proactively limited RPC and SMB to the local network protocols they claim them to be, a buffer overrun in one of them would not lead to a devastating worm, as the attacking worms couldn't spread outside of their author's LAN.
Fourth, Microsoft as a commercial vendor has an obligation to do what has already been done in the field with the two projects I cited above -- eliminate vulnerabilities. For once, it is time for the community to stop drowning in its own hypocrisy and realize that eliminating vulnerabilities *IS* a realistic goal, and *NEEDS* to be done, regardless of its impact on your personal job security.
Fact is, Mr. Mullen, Microsoft only wants to improve security so long as it avoids bad press. That is done only because good press brings profit. The reason that Microsoft's critics have a "Microsoft policy failure template" is because Microsoft's policies will *FOREVER* fail until it changes its mindset to one that actually cares about its clients.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/199/24025#24025