[55426] in North American Network Operators' Group
Re: What could have been done differently?
daemon@ATHENA.MIT.EDU (Scott Francis)
Tue Jan 28 23:53:26 2003
Date: Tue, 28 Jan 2003 20:46:48 -0800
From: Scott Francis <darkuncle@darkuncle.net>
To: "Steven M. Bellovin" <smb@research.att.com>
Cc: nanog@merit.edu
Mail-Followup-To: Scott Francis <darkuncle@darkuncle.net>,
"Steven M. Bellovin" <smb@research.att.com>, nanog@merit.edu
In-Reply-To: <20030129020048.2857D7B4D@berkshire.research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
--lIrNkN/7tmsD/ALM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Jan 28, 2003 at 09:00:48PM -0500, smb@research.att.com said:
> In message <20030129014651.GB80965@darkuncle.net>, Scott Francis writes:
>=20
> >There's a difference between having the occasional bug in one's software
> >(Apache, OpenSSH) and having a track record of remotely exploitable
> >vulnerabilities in virtually EVERY revision of EVERY product one ships, =
on
> >the client-side, the server side and in the OS itself. Microsoft does not
> >care about security, regardless of what their latest marketing ploy may =
be.
> >If they did, they would not be releasing the same exact bugs in their
> >software year after year after year.
>=20
>=20
> They do have a lousy track record. I'm convinced, though, that
> they're sincere about wanting to improve, and they're really trying
> very hard. In fact, I hope that some other vendors follow their
> lead. My big worry isn't the micro-issues like buffer overflows
> -- it's the meta-issue of an overall too-complex architecture. I
> don't think they have a handle on that yet.
Quite true - complexity is inversely proportional to security (thanks, Mr.
Schneier). Unfortunately, it seems like the Net as a whole, including the
systems, software and protocols running on it, only gets more complex as ti=
me
goes by. How will we reconcile this growing complexity and our increasing
dependency on the global network with the ever-growing need for security and
reliability? They seem to be accelerating at the same rate.
--=20
-=3D Scott Francis || darkuncle (at) darkuncle (dot) net =3D-
GPG key CB33CCA7 has been revoked; I am now 5537F527
illum oportet crescere me autem minui
--lIrNkN/7tmsD/ALM
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQE+N1y3WaB7jFU39ScRAnIdAKCWXva9uW/k6nqFVgNmef/Y/2qPiwCcCk+S
tSa7HG31gYrKKNGPCM7Q76s=
=+iyP
-----END PGP SIGNATURE-----
--lIrNkN/7tmsD/ALM--
