Common problems with Ubuntu
Elazar Leibovich
elazarl at gmail.com
Tue May 11 23:50:49 IDT 2010
I guess we'll stay divided, but still, for the sake of the completion I want
to clarify my argument.
My point is, that some security decisions (for example, the "Tuesday patch"
you mentioned), even if they are very wrong (and obviously, MS security guys
would beg to differ) doesn't play a very big role in the overall security of
your products.
However good software engineering practices plays a big role, and MS is
doing that big time, and putting a lot of resources for secure software
development. So the question whether or not the Tuesday Patch is a good
idea, and whether or not full disclosure is a good idea matters much less
than the question whether or not they have security expert evaluating the
security of each and every software signed by MS.
About the complexity of Windows and backwards compatibility, it is indeed an
issue which any company which develops for Windows need to handle with. I
really don't see how is it related. Keep in mind that MS is making much more
software than just the windows OS.
On Tue, May 11, 2010 at 8:49 PM, Gilboa Davara <gilboad at gmail.com> wrote:
> On Tue, 2010-05-11 at 20:23 +0300, Elazar Leibovich wrote:
> > Why do you think that MS believe in security by obscurity? I believe
> > that security problems in MS products are generally speaking being
> > released to the wild.
> > Why I think MS products has better chance to be secure than your local
> > Joe Software shop, because they're having strict policies which are
> > supposed to enforce that:
> > 1) The SDL development process, which includes fuzz testing the
> > software specifically against security breaches. Every MS software
> > must undergo that. Do regular software you use do?
> > 2) Cryptography awareness. Every product which uses crypto must be
> > authorized by a specialized crypto group. Crypto is a thing which is
> > easy to create and hard to verify. Is Winzip encryption algorithm
> > being reviewed by crypto expert? I'd rather know that the software I
> > use had a strong peer review.
> > Correct me if I'm wrong, but this two processes are hardly seen in
> > other places of the software industry.
>
> ... I doubt that any of the above has anything to do with the points I
> raised in my previous post, but never-mind, lets agree no to agree.
>
> - Gilboa
>
>
>
>
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20100511/0da85c67/attachment.html>
More information about the Linux-il
mailing list