What could have been done differently?

Steven M. Bellovin smb at research.att.com
Wed Jan 29 02:00:48 UTC 2003


In message <20030129014651.GB80965 at darkuncle.net>, Scott Francis writes:
>

>There's a difference between having the occasional bug in one's software
>(Apache, OpenSSH) and having a track record of remotely exploitable
>vulnerabilities in virtually EVERY revision of EVERY product one ships, on
>the client-side, the server side and in the OS itself. Microsoft does not
>care about security, regardless of what their latest marketing ploy may be.
>If they did, they would not be releasing the same exact bugs in their
>software year after year after year.


They do have a lousy track record.  I'm convinced, though, that
they're sincere about wanting to improve, and they're really trying
very hard.  In fact, I hope that some other vendors follow their
lead.  My big worry isn't the micro-issues like buffer overflows
-- it's the meta-issue of an overall too-complex architecture.  I
don't think they have a handle on that yet.



		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)





More information about the NANOG mailing list