<div dir="ltr">Why do you think that MS believe in security by obscurity? I believe that security problems in MS products are generally speaking being released to the wild.<div>Why I think MS products has better chance to be secure than your local Joe Software shop, because they're having strict policies which are supposed to enforce that:</div>
<div>1) The SDL development process, which includes fuzz testing the software specifically against security breaches. Every MS software must undergo that. Do regular software you use do?</div><div>2) Cryptography awareness. Every product which uses crypto must be authorized by a specialized crypto group. Crypto is a thing which is easy to create and hard to verify. Is Winzip encryption algorithm being reviewed by crypto expert? I'd rather know that the software I use had a strong peer review.</div>
<div>Correct me if I'm wrong, but this two processes are hardly seen in other places of the software industry.<br><br><div class="gmail_quote">On Tue, May 11, 2010 at 5:39 PM, Gilboa Davara <span dir="ltr"><<a href="mailto:gilboad@gmail.com">gilboad@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">On Tue, 2010-05-11 at 04:08 -0700, Elazar Leibovich wrote:<br>
> Not at all!<br>
> Google for "Microsoft SDL", it was not always the case, but nowadays<br>
> they have excellent security awareness.<br>
> For example, see evidence for the change here:<br>
> <a href="http://blogs.msdn.com/david_leblanc/archive/2010/04/16/don-t-use-office-rc4-encryption-really-just-don-t-do-it.aspx" target="_blank">http://blogs.msdn.com/david_leblanc/archive/2010/04/16/don-t-use-office-rc4-encryption-really-just-don-t-do-it.aspx</a><br>
><br>
<br>
</div>I rather not go into this argument, but a company the officially has an<br>
policy of "patch Tuesday" and still believes in security by obscurity<br>
can not (and must not) be considered as security aware.<br>
<br>
Plus, even if MS truly changed its colors (and I -really-, -really-<br>
doubt it), considerable parts of the Win32/WinNT basic design was never<br>
designed with security in mind, and breaking them will force MS to drop<br>
backward compatibility with previous releases (such as XP/2K3/etc) -<br>
something that MS simply cannot do.<br>
<br>
But, feel free to think otherwise. Hopefully (for you), you are right<br>
and I'm wrong.<br>
<div><div></div><div class="h5"><br>
- Gilboa<br>
<br>
<br>
<br>
_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
</div></div></blockquote></div><br></div></div>