What could have been done differently?

Wed Jan 29 04:46:48 UTC 2003

On Tue, Jan 28, 2003 at 09:00:48PM -0500, smb at research.att.com said:
> In message <20030129014651.GB80965 at darkuncle.net>, Scott Francis writes:
> 
> >There's a difference between having the occasional bug in one's software
> >(Apache, OpenSSH) and having a track record of remotely exploitable
> >vulnerabilities in virtually EVERY revision of EVERY product one ships, on
> >the client-side, the server side and in the OS itself. Microsoft does not
> >care about security, regardless of what their latest marketing ploy may be.
> >If they did, they would not be releasing the same exact bugs in their
> >software year after year after year.
> 
> 
> They do have a lousy track record.  I'm convinced, though, that
> they're sincere about wanting to improve, and they're really trying
> very hard.  In fact, I hope that some other vendors follow their
> lead.  My big worry isn't the micro-issues like buffer overflows
> -- it's the meta-issue of an overall too-complex architecture.  I
> don't think they have a handle on that yet.

Quite true - complexity is inversely proportional to security (thanks, Mr.
Schneier). Unfortunately, it seems like the Net as a whole, including the
systems, software and protocols running on it, only gets more complex as time
goes by. How will we reconcile this growing complexity and our increasing
dependency on the global network with the ever-growing need for security and
reliability? They seem to be accelerating at the same rate.
-- 
-= Scott Francis || darkuncle (at) darkuncle (dot) net =-
  GPG key CB33CCA7 has been revoked; I am now 5537F527
        illum oportet crescere me autem minui
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20030128/b18489ea/attachment.sig>