BB & all, I agree, here's what I posted as comments to MS technet.... (I'd like to suggest that other also vent there opinions through this channel, and maybe MS will at least not foster this opinion in public) Scott Culps comments (<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns /security/noarch.asp>) make it clear that MS is no longer intent on producing more secure products, a statement that reverses those made by MS in the l ast 6 months. Consequently, I feel I can no longer support the use of MS products, mainly (IIS/MTS) for client projects. Scott seems to believe, as other vendors have in the past, (notably, excluding Sun) that burying security problems, and making detrimental remarks of those that discover them, is in the interest of MS and it's clients. This thinking is almost completely obsolete in the security arena, and even great proponents of MS products thank the organisations that bring security bugs to the fore ASAP. Scott should change his thinking, or MS should change Scott for someone who isn't going to mock those who are in positions to influence technology decisions. Dom -----Original Message----- From: Blue Boar [mailto:BlueBoarat_private] Sent: 18 October 2001 21:32 To: vuln-devat_private Subject: Re: Time-to-patch vs Disclosure method A few things to keep in mind about Scott's essay: In a large company like Microsoft, there are many competing interests. Scott likely has no where near the influence on product security that he would like. I've been a corporate security guy for a large software company (not Microsoft.) I had reasonable influence over the IT infrastructure's security, and absolutely 0 over the product security. The two just weren't related. My understanding is that Scott has some degree of both, but that he has much more control over things like responding to reports, driving patches, helping with services packs, etc... and probably a little over actual product development. I know several of the guys in various Microsoft security groups, and they actually want to improve the product, and they actually know what they are doing. Having said that, they get to say very little about how to improve the development process, unless security becomes Microsoft's #1 marketing item. Yes, this is akin to closing the barn door several years after the horses have run away. Microsoft clearly cares more now about security after the worms, but think about what this means for product development. XP is done and out the door. The next whatever is halfway done. If security takes new development rules for development, we're looking at Windows 2005 before they show up. I'm not apologizing for Microsoft. I'm simply trying to point out that there is a way that Scott could be sincere, and Microsoft could act they way they do, and both can appear in the same company. And of course, given the list I run, my opinion is that Scott's opinion is misguided. But then I'm not willing to be the guy who has to answer for Microsoft's shortcomings, either. BB
This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 08:57:32 PDT