I left windows on my last remaining because I got tired of having to wait hours for the virus scans every time I turned on the machine. True that was with XP, but a company that thrives on market domination, corruption to accomplish said domination, and is known to have bugs around for years, is not someone who I trust with security. It is simply that security and everything but the kitchen sink in the code, including legacy compatibility and legacy code, do not go together.<div>
<br></div><div>I worked for a while at a software house, and we had to write code around MS bugs because they would not fix them, even though we were a development partner. These were not security bugs, but regardless, they were not sensitive to the needs of their developers, except maybe the largest customers.<br>
<div><br></div><div>I have never had any problems with any of my Linux installations, and only one virus was ever found with my OS-X machines. In contrast, I had numerous problems with my windows machines, even after fresh installs and updates.</div>
<div><br></div><div>That said, I don't think in this forum we should try and convince people or convert them to what we think. If the gentleman is content with MS security (and I am taking his words at face value, not a bait), let him use it and enjoy the outcome.</div>
<div><br></div><div>Just my two cents.<br><br></div><div>Zvi.</div><div><br><div class="gmail_quote">On Tue, May 11, 2010 at 4:21 PM, Micha Feigin <span dir="ltr"><<a href="mailto:michf@post.tau.ac.il">michf@post.tau.ac.il</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">On Tue, 11 May 2010 23:50:49 +0300<br>
<div class="im">Elazar Leibovich <<a href="mailto:elazarl@gmail.com">elazarl@gmail.com</a>> wrote:<br>
<br>
</div><div class="im">> I guess we'll stay divided, but still, for the sake of the completion I want<br>
> to clarify my argument.<br>
> My point is, that some security decisions (for example, the "Tuesday patch"<br>
> you mentioned), even if they are very wrong (and obviously, MS security guys<br>
> would beg to differ) doesn't play a very big role in the overall security of<br>
> your products.<br>
> However good software engineering practices plays a big role, and MS is<br>
</div> -----------------------------------------------<br>
<br>
you're joking, right?<br>
<br>
They are still at the point of let's get it into the market and worry about making it work right later on<br>
(see windows Vista, or Fichsta as I like to call it for example. Win 7 is still<br>
not half there either, see the new graphic driver model for examples which you<br>
won't believe how much trouble it causes, virtual memory on the video card<br>
handled by the operating system behind the drivers back ...)<br>
<div><div></div><div class="h5"><br>
> doing that big time, and putting a lot of resources for secure software<br>
> development. So the question whether or not the Tuesday Patch is a good<br>
> idea, and whether or not full disclosure is a good idea matters much less<br>
> than the question whether or not they have security expert evaluating the<br>
> security of each and every software signed by MS.<br>
> About the complexity of Windows and backwards compatibility, it is indeed an<br>
> issue which any company which develops for Windows need to handle with. I<br>
> really don't see how is it related. Keep in mind that MS is making much more<br>
> software than just the windows OS.<br>
><br>
> On Tue, May 11, 2010 at 8:49 PM, Gilboa Davara <<a href="mailto:gilboad@gmail.com">gilboad@gmail.com</a>> wrote:<br>
><br>
> > On Tue, 2010-05-11 at 20:23 +0300, Elazar Leibovich wrote:<br>
> > > Why do you think that MS believe in security by obscurity? I believe<br>
> > > that security problems in MS products are generally speaking being<br>
> > > released to the wild.<br>
> > > Why I think MS products has better chance to be secure than your local<br>
> > > Joe Software shop, because they're having strict policies which are<br>
> > > supposed to enforce that:<br>
> > > 1) The SDL development process, which includes fuzz testing the<br>
> > > software specifically against security breaches. Every MS software<br>
> > > must undergo that. Do regular software you use do?<br>
> > > 2) Cryptography awareness. Every product which uses crypto must be<br>
> > > authorized by a specialized crypto group. Crypto is a thing which is<br>
> > > easy to create and hard to verify. Is Winzip encryption algorithm<br>
> > > being reviewed by crypto expert? I'd rather know that the software I<br>
> > > use had a strong peer review.<br>
> > > Correct me if I'm wrong, but this two processes are hardly seen in<br>
> > > other places of the software industry.<br>
> ><br>
> > ... I doubt that any of the above has anything to do with the points I<br>
> > raised in my previous post, but never-mind, lets agree no to agree.<br>
> ><br>
> > - Gilboa<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > Linux-il mailing list<br>
> > <a href="mailto:Linux-il@cs.huji.ac.il">Linux-il@cs.huji.ac.il</a><br>
> > <a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
> ><br>
<br>
_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Check out my web site - <a href="http://www.words2u.net">www.words2u.net</a><br>
</div></div>