<div dir="ltr">I guess we'll stay divided, but still, for the sake of the completion I want to clarify my argument.<div>My point is, that some security decisions (for example, the "Tuesday patch" you mentioned), even if they are very wrong (and obviously, MS security guys would beg to differ) doesn't play a very big role in the overall security of your products.</div>
<div>However good software engineering practices plays a big role, and MS is doing that big time, and putting a lot of resources for secure software development. So the question whether or not the Tuesday Patch is a good idea, and whether or not full disclosure is a good idea matters much less than the question whether or not they have security expert evaluating the security of each and every software signed by MS.</div>
<div>About the complexity of Windows and backwards compatibility, it is indeed an issue which any company which develops for Windows need to handle with. I really don't see how is it related. Keep in mind that MS is making much more software than just the windows OS.<br>
<br><div class="gmail_quote">On Tue, May 11, 2010 at 8:49 PM, Gilboa Davara <span dir="ltr"><<a href="mailto:gilboad@gmail.com">gilboad@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Tue, 2010-05-11 at 20:23 +0300, Elazar Leibovich wrote:<br>
> Why do you think that MS believe in security by obscurity? I believe<br>
> that security problems in MS products are generally speaking being<br>
> released to the wild.<br>
> Why I think MS products has better chance to be secure than your local<br>
> Joe Software shop, because they're having strict policies which are<br>
> supposed to enforce that:<br>
> 1) The SDL development process, which includes fuzz testing the<br>
> software specifically against security breaches. Every MS software<br>
> must undergo that. Do regular software you use do?<br>
> 2) Cryptography awareness. Every product which uses crypto must be<br>
> authorized by a specialized crypto group. Crypto is a thing which is<br>
> easy to create and hard to verify. Is Winzip encryption algorithm<br>
> being reviewed by crypto expert? I'd rather know that the software I<br>
> use had a strong peer review.<br>
> Correct me if I'm wrong, but this two processes are hardly seen in<br>
> other places of the software industry.<br>
<br>
</div>... I doubt that any of the above has anything to do with the points I<br>
raised in my previous post, but never-mind, lets agree no to agree.<br>
<div><div></div><div class="h5"><br>
- Gilboa<br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
</div></div></blockquote></div><br></div></div>