[35613] in bugtraq
Re: Microsoft and Security
daemon@ATHENA.MIT.EDU (Jason Coombs)
Tue Jul 6 17:37:58 2004
Message-ID: <40E9F369.6030801@science.org>
Date: Mon, 05 Jul 2004 14:33:45 -1000
From: Jason Coombs <jasonc@science.org>
Reply-To: jasonc@science.org
MIME-Version: 1.0
To: Alun Jones <alun@texis.com>
Cc: "'Justin Wheeler'" <jwheeler@datademons.com>,
"'Radoslav Dejanovic'" <radoslav.dejanovic@opsus.hr>,
bugtraq@securityfocus.com
In-Reply-To: <20040704171538.GA38658@mail01g.rapidsite.net>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Alun Jones wrote:
> ... okay, so you're arguing that even more QA and more testing should be
> <snip>
> releasing a smaller fix, with minimal impact, as soon as possible.
> <snip>
> improving the process, perhaps you should try and express those suggestions
> in a coherent manner that could be used
...
Aloha, Alun.
My suggestion is a simple one that all software developers can manage to
incorporate into their busy schedules and tight budgets:
Hire an expert to conduct a thorough forensic review of the software
before it is released, and publish the forensic analysis report.
Any vulnerabilities, flaws, areas that need additional work, portions
that were built by subcontractors of questionable skill or loyalties,
portions that were offshored, features that the programmers themselves
warn are not yet done by placing comments in the source code, third
party libraries or code or algorithms that may create intellectual
property liability for the end user, and all other issues of computer
forensics and computer law should be spelled out as clearly as possible
by any company that develops and distributes software to the public.
Anyone who does not publish a forensic analysis report along with their
software should publish the source code, whether or not they release
legal rights to that source code under an open source or free software
license.
The computing public should not have to reverse engineer software
products in order to figure out what they do to the computers on which
they are installed and used.
Even the Department of Justice knew better than to allow the FBI to
build and deploy law enforcement computer technology without hiring an
expert to write a forensic report on the product, and the FBI doesn't
try to sell "Carnivore" to anyone.
http://www.epic.org/privacy/carnivore/
Final Independent Technical Review of the Carnivore System
http://www.epic.org/privacy/carnivore/carniv_final.pdf
We should require software vendors to take this stuff seriously.
Sincerely,
Jason Coombs
jasonc@science.org
