Interview With Microsoft's Chief of Security

Paul Coe Clark III writes: "I interviewed Howard Schmidt, Microsoft's head of security, questioning him about, among other things, cyberterrorism and Redmond's responsibility for insecure features in the wake of many virus attacks. /. readers might find it interesting. They can find it here."

Contrary to popular belief

[Zen+Mastuh]

Microsoft does focus a lot of effort towards securing their products. Unfortunately the effort is more reactive than proactive. It's a basic flaw in the capitalist model that allows the Marketing and Accounting people to determine release dates--instead of the Developers. The attitude can be paraphrased like this: "As long as the app fires up, it can be released. We'll let the customers be beta testers."

If they were in the car business insted of the O/S business, a lot of people would be dead or mangled.

Re:Contrary to popular belief

[Bonker]

If they were in the car business insted of the O/S business, a lot of people would be dead or mangled.


That's ultimately the only thing that can change the corporate machine... Death. Either the death of members of the machine or members of the public.

Look at the recent Ford/Firestone screwover: Sure, there have been reports about how unsafe SUV's were for years, but Ford was able to rationalize those deaths away as just part of the 'acceptable highway fatality level' that Americans seem to be comfortable with.

It wasn't until people were able to say with proof positive that Ford SUV's and/or Firestone tire were directly responsible for human deaths that Ford was forced to change its practices.

Microsoft is in the same boat. It won't be until the Blue Screen of Death is really, provably responsible for human fatalities (Think saftey control at a power plant, or a crash aboard a military vehicle of some kind) that Microsoft will start being more responsible about their security and program design.

I Loved this bit...

[schon]

(When asked about full disclosure, and publishing of exploits)

In some cases, it's tantamount to screaming "fire!" in a crowded movie theater.

Yeah, except there really IS a fire.

So when there is a fire in a movie theatre, he's suggesting the person who notice it just quietly go and tell the management (who will wait to see if it's really a big fire, and then assign some staff to attempt to put it out), instead of telling the people whose lives are in danger?

Yeah, GREAT analogy.

Re:Damning with faint praise

[jfunk]

If the author of ProgramX doesn't fix a security hole, then debian might, or redhat might, or suse might, and as soon as one does the others can grab their fix and incorporate in their distribution.

Absolutely. I remember when a recent (not too serious) hole was found *by* SuSE's security team (I don't remember the package, sorry). One of the primary reasons I run SuSE is because of their awesome security team. They borrow a ton of stuff from OpenBSD, and that's a good thing. I also highly recommend their security mailing list no matter what distro you use, and their security scripts are deliberately distro-blind (I've installed them on critical Red Hat servers at work, and they work beautifully).

I ran YOU (YaST Online Update) manually and I looked through all of the updates. They submitted the patch to the original developers before sticking new packages on their servers. The new version of that package from the original developers (ie: they applied SuSE's patch) was released three days later.

But that's not the most important thing. Am I screwed if SuSE dies? Hell, no. My number one reason for preferring open source is that I can get *anybody* to do the work for me, including myself.

I've said it many times before: price is not the issue, control is. Sure, I can get SuSE for free all I want, but I pay for it just so their packagers and bug-fixers get to stay on board.