On Sun, 2004-11-21 at 20:51, Steven Buehler wrote:
> "We think our software is far more secure than open-source software. It is
> more secure because we stand behind it, we fixed it, because we built it.
> Nobody ever knows who built open-source software," he added.
When Balmer speaks, MCSEs should close their ears.
His statements on Microsoft solutions are not only useless to MCSEs and
Microsoft Solution Providers, but they can do a great disservice. I.e.,
one of these days Microsoft is going to have to admit the _major_
_deficiencies_ of their own products versus 3rd parties for the Windows
platform.
<mega-tangent>
Right now I'm embroiled with an increasing number of private
correspondence with various Microsoft individuals at various levels. A
colleague of mine quoted me, and then this lead me directly into the
thick of it.
Part of the reason has to do with the fact that I found a major ESMTP
flaw with Exchange 5.5's RFC822 parsing back in late '99 / early 2000
that still remains largely unaddressed in even Exchange 2003 (and a full
admin-priv exploit in 5.5 and 2000). Microsoft stopped short of
threatening me when I failed to get a Microsoft Solution Provider and
then Microsoft itself to recognize the major security issue with its
RFC822 parser and was going to go to CERT (looking back, I should have
regardless).
Another reason is my knowledge of how bad SQL Slammer hit Microsoft, and
the level of proliferation of Altiris tools inside of Microsoft. In a
nutshell, Microsoft has *0* control over its own release control of
patches. They tried to address it with the monthly cycle to test
interdependencies, but they are still relying _heavily_ on 3rd parties.
Hence why _no_one_ should trust SUS/WUS/SMS.
Because like many Microsoft products, Microsoft doesn't deploy them
internally because of such difficiencies addressed far better by 3rd
parties. Ultimately they use Altiris at the top to address the
"interdependency hell" of patching. Microsoft has still to fully admit
that is _exactly_ what caused SQL Slammer. I.e., 2 latter patches
_silently_ uninstalling the earlier patch that would have prevented it
-- "staying current" _caused_ MS SQL systems to be suseptible!
Long-term, the argument goes much deeper into "integration" v.
"piecemeal." At the heart is the destruction "Cairo" (the same logic
makes "Longhorn's" total destruction also a no-brainer ;-) and using MS
IE as an "OS update/feature service" with DLLs written for "Chicago"
(DOS7/Win16) and not NT (NT/Win32), which is what 99.9% of exploits
target today in Win32.
-- Bryan J. Smith b.j.smith@ieee.org -------------------------------------------------------------------- Subtotal Cost of Ownership (SCO) for Windows being less than Linux Total Cost of Ownership (TCO) assumes experts for the former, costly retraining for the latter, omitted "software assurance" costs in compatible desktop OS/apps for the former, no free/legacy reuse for latter, and no basic security, patch or downtime comparison at all.----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:55:13 EDT