[55419] in North American Network Operators' Group
Re: What could have been done differently?
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue Jan 28 21:07:19 2003
From: "Steven M. Bellovin" <smb@research.att.com>
To: Scott Francis <darkuncle@darkuncle.net>
Cc: Eric Germann <ekgermann@cctec.com>, nanog@merit.edu
Date: Tue, 28 Jan 2003 21:00:48 -0500
Errors-To: owner-nanog-outgoing@merit.edu
In message <20030129014651.GB80965@darkuncle.net>, Scott Francis writes:
>
>There's a difference between having the occasional bug in one's software
>(Apache, OpenSSH) and having a track record of remotely exploitable
>vulnerabilities in virtually EVERY revision of EVERY product one ships, on
>the client-side, the server side and in the OS itself. Microsoft does not
>care about security, regardless of what their latest marketing ploy may be.
>If they did, they would not be releasing the same exact bugs in their
>software year after year after year.
They do have a lousy track record. I'm convinced, though, that
they're sincere about wanting to improve, and they're really trying
very hard. In fact, I hope that some other vendors follow their
lead. My big worry isn't the micro-issues like buffer overflows
-- it's the meta-issue of an overall too-complex architecture. I
don't think they have a handle on that yet.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)
