Re: [SLUG] MS claims "We're more secure... really"

From: patrick (onepatrick@ozline.net)
Date: Sat Apr 14 2001 - 20:42:51 EDT


and check this out too :)

http://news.cnet.com/news/0-1003-200-5565061.html

if these people werent being hurt it would be funny

On Sat, 14 Apr 2001, you wrote:
> First off, the Newsforge 'article' didn't contain any particularly useful
> information, save for a link to an article on Security Focus, which is:
>
> http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3
>D191
>
>
> Now on to the reply:
>
> Russell Hires wrote:
> > I think MS does make a valid point about OS and "lack of security."
>
> Not really. Mainly just more FUD. But then, no huge surprise there.
>
> > It's not a great point, but they are right about security audits...
> >
> > ...audits MS says that MS does?
>
> If they're so right about audits being necessary, why don't they DO
> anything about it themselves?
>
> Now the fact is (IIRC), Windows (even NT/2000) is the most widely exploited
> (and exploitable) OS currently on the market. Yet here is Micro$oft
> talking so seriously about the need for security code audits. I can only
> see two explanations for this obvious disparity. Either Micro$oft is
> hoping that because they're accusing Open Source software of lacking for
> security auditing, nobody will look to deeply into what audits they may
> have done in the past or are doing now. (And pay no attention to the man
> behind the curtain, either...) Or their staff actually has performed audits
> and have merely proved incompetent at the task. On the other hand, how
> much effort is required to perform a line-by-line security audit on an
> operating system consisting of some forty MILLION lines of code? How many
> coders does Micro$oft have? How many years would such an effort take, even
> to the exclusion of other bug fixes or feature enhancements?
>
> Given the above, along with Micro$oft's history to date, I'd say the smart
> money goes to this latest attack being nothing more than another lame
> attempt at a smoke screen.
>
> > Is there a Linux security team at any of the distros? Do they perform the
> > audits...
>
> Most distributions that I am aware of seem to primarily handle security
> fixes as vulnerabilities become known (through websites such as
> SecurityFocus, et al). When vulnerabilities are made known, the major
> distributions (Red Hat, Mandrake, Suse) typically have fixes implemented
> and updated packages available in no more than half the time it takes
> Micro$oft to do the same. (In the article, Micro$oft claimed this was
> because THEY performed testing on their fixes, implying that Open Source
> vendors release fixes to the public without performing any testing
> whatsoever. And they REALLY expect anyone to believe this tripe?)
>
> There are distributions which are more security-oriented. Take Trustix,
> for instance. And isn't the NSA working on Linux-based security?
>
> Then again, remember that Micro$oft wasn't just singling out Linux, but
> Open Source software in general. I'll point out, then, that the OpenBSD
> kernel _has_ in fact undergone a line-by-line security audit, as well as
> being hardened in other ways.
>
> So no, I don't think Micro$oft has made any valid point at all in their
> remarks, except perhaps, "Do as I say, not as I do."

-- 
Love is all u need, Love is all u need, Love is all u need.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:39:45 EDT