Why do you think that MS believe in security by obscurity? I believe that security problems in MS products are generally speaking being released to the wild. Why I think MS products has better chance to be secure than your local Joe Software shop, because they're having strict policies which are supposed to enforce that: 1) The SDL development process, which includes fuzz testing the software specifically against security breaches. Every MS software must undergo that. Do regular software you use do? 2) Cryptography awareness. Every product which uses crypto must be authorized by a specialized crypto group. Crypto is a thing which is easy to create and hard to verify. Is Winzip encryption algorithm being reviewed by crypto expert? I'd rather know that the software I use had a strong peer review. Correct me if I'm wrong, but this two processes are hardly seen in other places of the software industry.
On Tue, May 11, 2010 at 5:39 PM, Gilboa Davara <gilb...@gmail.com> wrote: > On Tue, 2010-05-11 at 04:08 -0700, Elazar Leibovich wrote: > > Not at all! > > Google for "Microsoft SDL", it was not always the case, but nowadays > > they have excellent security awareness. > > For example, see evidence for the change here: > > > http://blogs.msdn.com/david_leblanc/archive/2010/04/16/don-t-use-office-rc4-encryption-really-just-don-t-do-it.aspx > > > > I rather not go into this argument, but a company the officially has an > policy of "patch Tuesday" and still believes in security by obscurity > can not (and must not) be considered as security aware. > > Plus, even if MS truly changed its colors (and I -really-, -really- > doubt it), considerable parts of the Win32/WinNT basic design was never > designed with security in mind, and breaking them will force MS to drop > backward compatibility with previous releases (such as XP/2K3/etc) - > something that MS simply cannot do. > > But, feel free to think otherwise. Hopefully (for you), you are right > and I'm wrong. > > - Gilboa > > > > _______________________________________________ > Linux-il mailing list > Linux-il@cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
