What could have been done differently?
Steven M. Bellovin
smb at research.att.com
Wed Jan 29 02:00:48 UTC 2003
In message <20030129014651.GB80965 at darkuncle.net>, Scott Francis writes:
>
>There's a difference between having the occasional bug in one's software
>(Apache, OpenSSH) and having a track record of remotely exploitable
>vulnerabilities in virtually EVERY revision of EVERY product one ships, on
>the client-side, the server side and in the OS itself. Microsoft does not
>care about security, regardless of what their latest marketing ploy may be.
>If they did, they would not be releasing the same exact bugs in their
>software year after year after year.
They do have a lousy track record. I'm convinced, though, that
they're sincere about wanting to improve, and they're really trying
very hard. In fact, I hope that some other vendors follow their
lead. My big worry isn't the micro-issues like buffer overflows
-- it's the meta-issue of an overall too-complex architecture. I
don't think they have a handle on that yet.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)
More information about the NANOG
mailing list