Common problems with Ubuntu
Micha Feigin
michf at post.tau.ac.il
Wed May 12 01:21:02 IDT 2010
On Tue, 11 May 2010 23:50:49 +0300
Elazar Leibovich <elazarl at gmail.com> wrote:
> I guess we'll stay divided, but still, for the sake of the completion I want
> to clarify my argument.
> My point is, that some security decisions (for example, the "Tuesday patch"
> you mentioned), even if they are very wrong (and obviously, MS security guys
> would beg to differ) doesn't play a very big role in the overall security of
> your products.
> However good software engineering practices plays a big role, and MS is
-----------------------------------------------
you're joking, right?
They are still at the point of let's get it into the market and worry about making it work right later on
(see windows Vista, or Fichsta as I like to call it for example. Win 7 is still
not half there either, see the new graphic driver model for examples which you
won't believe how much trouble it causes, virtual memory on the video card
handled by the operating system behind the drivers back ...)
> doing that big time, and putting a lot of resources for secure software
> development. So the question whether or not the Tuesday Patch is a good
> idea, and whether or not full disclosure is a good idea matters much less
> than the question whether or not they have security expert evaluating the
> security of each and every software signed by MS.
> About the complexity of Windows and backwards compatibility, it is indeed an
> issue which any company which develops for Windows need to handle with. I
> really don't see how is it related. Keep in mind that MS is making much more
> software than just the windows OS.
>
> On Tue, May 11, 2010 at 8:49 PM, Gilboa Davara <gilboad at gmail.com> wrote:
>
> > On Tue, 2010-05-11 at 20:23 +0300, Elazar Leibovich wrote:
> > > Why do you think that MS believe in security by obscurity? I believe
> > > that security problems in MS products are generally speaking being
> > > released to the wild.
> > > Why I think MS products has better chance to be secure than your local
> > > Joe Software shop, because they're having strict policies which are
> > > supposed to enforce that:
> > > 1) The SDL development process, which includes fuzz testing the
> > > software specifically against security breaches. Every MS software
> > > must undergo that. Do regular software you use do?
> > > 2) Cryptography awareness. Every product which uses crypto must be
> > > authorized by a specialized crypto group. Crypto is a thing which is
> > > easy to create and hard to verify. Is Winzip encryption algorithm
> > > being reviewed by crypto expert? I'd rather know that the software I
> > > use had a strong peer review.
> > > Correct me if I'm wrong, but this two processes are hardly seen in
> > > other places of the software industry.
> >
> > ... I doubt that any of the above has anything to do with the points I
> > raised in my previous post, but never-mind, lets agree no to agree.
> >
> > - Gilboa
> >
> >
> >
> >
> >
> > _______________________________________________
> > Linux-il mailing list
> > Linux-il at cs.huji.ac.il
> > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
> >
More information about the Linux-il
mailing list