Security Community Reacts to Microsoft Announcement

A number of readers have collected stories concerning the change of focus by Bill Gates to security. Bruce Schneier and Adam Shostack have written a piece, while Crag Mundie of MSFT has also chimed in, along with some commentary from ZD folks. SecurityFocus has other words, as does InfoWarrior.

I'll belive it

[Evanrude]

When I see it. So far Microsofts security focus has been like looking through beer goggles.

How to make your Windows box secure

[quantaman]

Step 1. Disconnect the phone line, ethernet cable or whatever other device you use to connect to the internet.
Step 2. Drag all documents that you consider a risk to exposure to the recycling bin, recycle them, then use a disk utility to cover up all traces.
Step 3. Delete IE, MS Office, Outlook Express, and the Windows operating system from your computer.
Step 4. Take a large can of gasoline, a sledgehammer, and a match, and tape a photo of Bill Gates to the side of your machine.
Step 5. Follow your instincts.

Schneier and Shostack go too far

[Shimmer]

Microsoft certainly has alot of work to do to improve the security of their products, but I think Shneier and Shostack go too far in some of their recommendations. Here's the worst offender:

Implementation of Microsoft SOAP, a protocol running over HTTP precisely so it could bypass firewalls, should be withdrawn.

First of all, SOAP is an industry standard, not a Microsoft protocol. Secondly, the need for security shouldn't prevent the development of web services over SOAP. I think the demand for these sort of services will mushroom over the next few years. Web services can be secured via the SOAPAction header attribute.

In general, we can't let security concerns prevent the development of useful new technology. Rather, we should make sure that such technology is secure prior to deployment.

-- Brian