Slashdot Mirror


Security Community Reacts to Microsoft Announcement

A number of readers have collected stories concerning the change of focus by Bill Gates to security. Bruce Schneier and Adam Shostack have written a piece, while Crag Mundie of MSFT has also chimed in, along with some commentary from ZD folks. SecurityFocus has other words, as does InfoWarrior.

1 of 471 comments (clear)

  1. Schnier co-writes a bad column! by petej · · Score: 4, Flamebait

    Usually, Bruce Schnier writes good stuff, and I enjoy reading it. This time, though, the piece is riddled with misinformation and poor advice. I'm surprised.

    SOAP isn't just a Microsoft protocol, for one, but the main problem with that paragraph is that SOAP was not designed to elude firewalls, any more than RPC was. SOAP is just an RPC mechanism that happens to flow over HTTP, mostly because Dave Winer only knows one protocol -- HTTP. Mr. Winer didn't try to evade protocols, he just couldn't conceive of creating a different protocol for this application -- an error of omission, not commission.

    In terms of file and media distribution, the function of a HTTP server, FTP server and gopher server are very similar, so there's actually some sense in bundling the three together (and MS isn't the only group to do this). The security problems come when dynamic execution is added to the mix in HTTP. Mssrs. Schnier and Shostack desperately want to undo this, but they don't have the right answer -- the problem isn't stocking the three protocols together; it's that the Internet gave us three ways to do the same thing. To really address the security issue here, we should probably go back and redo the protocols so that dynamic content and media content flow over separate protocols, but there's no chance of this happening -- HTTP didn't kill FTP, and even gopher is making a mild comeback, so we're stuck with this mess for a long time.

    There's some good advice regarding security in that article, but the authors' notions of product design are off-target, and contrary to the direction a lot of folks (even those beyond MS) are taking.