Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cryptogram Judges MS Security

Posted by CmdrTaco on from the who-do-you-trust dept.

johnfoobar writes "The latest issue of Bruce Schneier's Cryptogram has a section entitled 'Judging Microsoft' which aims to "provide a list of measurable recommendations, so that the community can judge Microsoft's sincerity." Required reading if you use Microsoft products." Update: 02/15 18:15 GMT by M : A better link is Schneier's first essay this month, which is about Microsoft's "Trustworthy Computing" initiative.

5 of 204 comments (clear)

  1. Re:Covered previously by thagale · · Score: 2, Informative

    Wrong. This article came out today, in the Cryptogram, which comes out Monthly on the 15th. As such, it was not reported last week. :)

  2. Microsoft hasn't changed by JoeBuck · · Score: 3, Informative

    See this story in the San Jose Mercury. Even now, Microsoft is still treating security as a public relations problem. Their response to the discovery of security holes in their products is still, in too many cases, to deny it.

  3. Re:here goes... by iiii · · Score: 2, Informative
    They are making an effort now.

    That is the question. Certainly it would be a very good thing if they are making the effort, but are they? Schneier said it better than I could:

    "...I hope he's right when he says that Microsoft is committed to that challenge. I don't know for sure, though. I can't tell if the Gates memo represents a real change in Microsoft, or just another marketing tactic. Microsoft has made so many empty claims about their security processes -- and the security of their processes -- that when I hear another one I can't help believing it's more of the same flim-flam. "

    --
    Light cup, beer drink, thin so chain, neck turtle fat, man I won't say it again
  4. Re:Covered previously by oddjob · · Score: 3, Informative

    Just to back you up, here's the old article

    Security Community Reacts to Microsoft Announcement
    by Hemos with 471 comments on Friday January 25, @11:25AM

    The Counterpane article is the same as the earlier Security Focus article.

  5. no need to rewrite everything by AdamBa · · Score: 3, Informative
    Schneier writes:

    "Security works best when it's designed into the system from the beginning, so a lot of what they've already done is going to have to be rewritten."

    This is false. XP, based on NT, has security built in. The vulnerabilities discovered so far basically seem to be in two camps:

    1) Buffer overflows left in the code -- rewriting won't help these, it will likely just introduce more. They just need to be found and fixed. Microsoft is in fact going over all its code line-by-line, but I can't imagine that glassy-eyed developers spending a month doing that is actually going to find all the overflows.

    2) Bad design, in particular allowing foreign code to execute. I.e. the various Outlook email viruses. These need to be removed, which is a basic change in how Microsoft thinks (security over nifty features) but again you don't need to rewrite Outlook to stop if from executing scripts by default.

    Methinks Schneier might be fantasizing a bit about Microsoft *having* to do this, of saying, as he puts it, "We're going to put the entire .NET initiative on hold, probably for years, while we work the security problems out." It seems like he would like to see Microsoft fall behind in the market because they have to throw all their current code away. Plus he hates SOAP (since it sneaks past firewalls inside HTTP), which is one of the technologies .NET is based on.

    Personally I think this is basically more marketing hype from Microsoft. Because they are still not going to penalize developers who write insecure code (something that was bandied about but not adopted) -- it will still be, "Oops, we did it again". So with no real connection between good code and stock options, developers at Microsoft won't change.

    - adam