Common problems with Ubuntu

Common problems with Ubuntu

Elazar Leibovich elazarl at gmail.com
Tue May 11 20:23:34 IDT 2010


Why do you think that MS believe in security by obscurity? I believe that
security problems in MS products are generally speaking being released to
the wild.
Why I think MS products has better chance to be secure than your local Joe
Software shop, because they're having strict policies which are supposed to
enforce that:
1) The SDL development process, which includes fuzz testing the software
specifically against security breaches. Every MS software must undergo that.
Do regular software you use do?
2) Cryptography awareness. Every product which uses crypto must be
authorized by a specialized crypto group. Crypto is a thing which is easy to
create and hard to verify. Is Winzip encryption algorithm being reviewed by
crypto expert? I'd rather know that the software I use had a strong peer
review.
Correct me if I'm wrong, but this two processes are hardly seen in other
places of the software industry.

On Tue, May 11, 2010 at 5:39 PM, Gilboa Davara <gilboad at gmail.com> wrote:

> On Tue, 2010-05-11 at 04:08 -0700, Elazar Leibovich wrote:
> > Not at all!
> > Google for "Microsoft SDL", it was not always the case, but nowadays
> > they have excellent security awareness.
> > For example, see evidence for the change here:
> >
> http://blogs.msdn.com/david_leblanc/archive/2010/04/16/don-t-use-office-rc4-encryption-really-just-don-t-do-it.aspx
> >
>
> I rather not go into this argument, but a company the officially has an
> policy of "patch Tuesday" and still believes in security by obscurity
> can not (and must not) be considered as security aware.
>
> Plus, even if MS truly changed its colors (and I -really-, -really-
> doubt it), considerable parts of the Win32/WinNT basic design was never
> designed with security in mind, and breaking them will force MS to drop
> backward compatibility with previous releases (such as XP/2K3/etc) -
> something that MS simply cannot do.
>
> But, feel free to think otherwise. Hopefully (for you), you are right
> and I'm wrong.
>
> - Gilboa
>
>
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20100511/a52f5f16/attachment.html>


More information about the Linux-il mailing list