-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Szilveszter Adam Sent: donderdag 8 april 2004 9:33 To: LC Subject: Re: [Full-Disclosure] Vulnerability response times -- MS and others
hggdh wrote: > Anyways... the report seems to indicate that Microsoft is the fastest > on solving security issues. > > Comments? - Inidicate that with MS, there is a team that you can trust and not some random hacker in China who will commit some sneak fix after midnight. (I think the "Chinese hacker" part is especially effective - outside of China of course, there they probably use something else like "some unknown US hacker" :-) - because of the "latent fear of the unknown" factor, even playing with racist sentiments in the meantime) One should be careful trusting code from whatever company, organisation or person. Unless you wrote all the code yourself, thus knowing its inner workings well, no trust should be placed in code from others. Ken Thomson understood this in 1983 (if I am correct, I could be a couple years off), and unfortunately his observations still apply today. There is little trust to be placed in source code. Either MS fails to understand this, or they are blind to the problem (either intentionally or unintentionally). Fact is that loads of universities, countries and other organisations have access to the Windows source code. Besides that, MS has a large development center in India, and of course a lot of programmers in redmond. Apparently Microsoft is willing to place their complete trust in all those programmers. However, there is no guarantee that Microsofts "trusted" programmers will behave any better with respect to the creation of Easter Eggs, hidden backdoors or other interesting undocumented remote administration features. Perhaps the question should be: "Do you place more trust in software created by a company with a hideous security track record that is operated on a for-profit basis than you place trust in software created by a group of people for fun/reputation/need/whatever which source code you can audit?" Remember that in the end, Microsoft (and any other commercial software vendor) is motivated by its own commercial interests, which may or may not happen to coincide with yours. (Though I realise the same applies to open source software, however one can use the source to take the package in an alternate direction). Regards, Rob _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html