MS Exec: Products not engineered for security
Results 1 to 7 of 7

Thread: MS Exec: Products not engineered for security

  1. #1
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551

    MS Exec: Products not engineered for security

    Wow.... It's nothing we don't all know, but I never thought I'd hear it come out of a MS exec's mouth:

    "We really haven't done everything we could to protect our customers ... Our products just aren't engineered for security."
    I'm sure this guy will be getting a trip to the woodshed shortly.

    Read the whole article at Infoworld.
    Do what you want with the girl, but leave me alone!

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    I have read on newspapers that MS want to regain a better popularity with their "trustworthy computing" program. In order to do so, Bill paid ONE day (yes, only one) for each employees to learn security!

    If it continue we will have to create a specific "tech-humor" section only for M$!
    Life is boring. Play NetHack... --more--

  3. #3
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    8 hours of training around how to avoid common programming errors is more then enough training on that particular topic... One day of training to try and teach someone about computer security in general is definitely not enough... even 6 months of daily training could not get you trained on all aspects...

    When you are talking about how efficient training is you have to look at what the people being trained do..

    So in the case of programmers, teach them how to avoid buffer overflows and other common mistakes.. and your training is highly effective.. I don't see why you think that is funny..


    You also have to take Valentine's comment into complete perspective...

    "Every operating system out there is about equal in the number of vulnerabilities reported," he said. "We all suck."

  4. #4
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551
    Every operating system out there is about equal in the number of vulnerabilities reported," he said. "We all suck.
    Personally, I don't see that as anything more than typical Microsoft spin. There's a whole lot more to the vulnerability picture than the number of buffer overflows that have been discovered in the last 12 months. You have to look at the nature and the severity of the flaws, not just the raw number.

    Secondly (and this is JMHO), I think coding buffer overflows is a small problem in comparison to Microsoft's real problem. I think Windows is fundamentally flawed because it was never really designed for some of the uses it's being put to today. Microsoft wasn't really interested in the Internet and multiuser environments when NT was designed in 1991. A lot of the functionality we see in Windows today is an afterthought. You can't slap a login screen and some filesystem ACLs on top of a system that started out as single user and expect it to work like a *nix that was designed from the ground up to be multi-user. A perfect example is the shatter exploit. The reason this is happening is because they were still thinking single-user at the console when they designed the API.

    When Valentine says "engineered for security" I think he's exactly right. He didn't say "coded for security." Big difference.

    Just MHO, of course.
    Do what you want with the girl, but leave me alone!

  5. #5
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    I agree with what you are saying PC.. However... It is not totally accurate to say that Unix was designed with security in mind.. They have just had over 30 years to get it right... Another major difference in the two is the corporate structures that designed them...

    Unix was developed primarily by AT&T.. AT&T is known for being able to develop and maintain extremely stable highly available systems... Look at your phone for instance... How often do you not have a dial tone? Most of the time when you don't have one, it's not because of equipment failure.. but rather because of a line disconnect or cut.... AT&T doesn't currently make any of the phone switching equipment.. But they were the primary manufacturer of it for quit some time, and they set the standard and precedent that all subsequent vendors have had to follow.

    The problem with MS is that they essentially helped build the PC market that exists today.. So people don't have anything else to compare it to.. It will hopefully get better.. but it won't happen over night..

  6. #6
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551
    It is not totally accurate to say that Unix was designed with security in mind..
    I didn't say it was designed with security in mind. I said it was designed to be multiuser.
    Do what you want with the girl, but leave me alone!

  7. #7
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Dooh!!! you got my point though I hope...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •