Culp says...
"First, let's state the obvious. All of these worms made use of security flaws in the systems they attacked, and if there hadn't been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written. This is a true statement, but it doesn't bring us any closer to a solution. While the industry can and should deliver more secure products, it's unrealistic to expect that we will ever achieve perfection. All non-trivial software contains bugs, and modern software systems are anything but trivial. Indeed, they are among the most complex things humanity has ever developed. Security vulnerabilities are here to stay."
In the above argument, Culp uses truth to validate fallacy. It's true that no code is perfect. It's false that security will improve by mandating gag orders.
More to the point, Microsoft is especially frustrated with flaws being exposed in their code. Frankly, I believe the hacks associated with Microsoft products differ fundamentally from the flaws discovered in Solaris and Linux. When a Linux exploit is discovered, hackers and maintainers consider it a design flaw. Therefore, exploits are generally fixed pretty fast on Linux -- usually within a few days. The same is true for Solaris.
Apparently however, Microsoft does not consider certain exploits to be design flaws. Sometimes, hackers simply leverage "features" (e.g. undocumented APIs) that Microsoft deliberately designed into their applications and/or systems.
Microsoft applications tend to execute arbitrary code. In other words, Microsoft deliberately empowers IIS, Exchange, Internet Explorer, Outlook and certain Office applications to execute unchecked commands fed over the Internet. Once hackers discover these (badly!) hidden APIs, it is only a matter of time before someone sends you an email which does something nasty to your computer.
Interestingly, despite these obvious security issues, Microsoft wants their programs to execute arbitrary code. Remember the Microsoft Word viruses? Remember the Excel viruses? Heck, email viruses were fiction until Exchange and Outlook...
Microsoft has had years of experience and feedback since the first MS-Word virus. Obviously, they understand the risks of allowing applications to execute arbitrary code. Nevertheless, they continue to build this ability into all their major products.
In fact, arbitrary code execution appears to be one of the core technologies behind Microsoft's.NET initiative. I suspect this is why Microsoft was so reluctant to repair the security flaws within IIS. Code Red and Nimda exploits APIs that Microsoft intends for their.NET initiative. Disabling these APIs would cripple.NET. Therefore, Microsoft did not fix IIS until they could re-think the design of.NET.
Culp states that vulnerabilities are here to stay. Most likely,.NET will reinforce his point. Given their track record, I expect.NET to be Microsoft's magnum opus of security deficiency.
At this late stage, re-designing.NET is out of the question. I guess Culp feels controlling what the world is allowed to communicate about.NET is easier.
The rule of law in the United States is about the means, not the ends.
The US is founded on an axiomatic assumption that we all have rights. And the purpose of the government is to defend these rights -- or, from
point of view of the 18th century framers, to defend against tyranny.
In other words, the objective of the US government should be liberty and freedom from tyranny... not security.
In his book "The Secret Government", Bill Moyers interviewed a law professor (Edwin Firmage) regarding Iran/Contra. While answering a question regarding sacrificing certain rights to defend the US, Firmage had this to say:
"...any time we accept a reason of state argument to justify means that are totally incongruent with the values of our state, We're on the high road to tyranny and we deserve to be there."
I respect Mr. Katz's postion. However, if we forfeit our rights, I believe we forfeit the founding ideology of the United States. For me, it's just too big of a leap.
We should limit the means by which we achieve our ends. If the so-called "great experiment" is to succeed, the US must achieve its ends within the limits of preserving our rights.
Slashdot Mirror
Didn't Jobs try to migrate NextStep/OpenStep to the Wintel platform? Soon after, Next had to close its doors.
Look, no flame war intended. I like Apple. I like OSX. I've been waiting for Apple to release a G5 powerbook.
But I'm not much of a Steve Jobs fan. I think he's possibly even more ruthless than Bill Gates, yet he seems a tad dumber.
(*sigh*) Woz, where are you?
Culp says...
.NET initiative. I suspect this is why Microsoft was so reluctant to repair the security flaws within IIS. Code Red and Nimda exploits APIs that Microsoft intends for their .NET initiative. Disabling these APIs would cripple .NET. Therefore, Microsoft did not fix IIS until they could re-think the design of .NET.
.NET will reinforce his point. Given their track record, I expect .NET to be Microsoft's magnum opus of security deficiency.
.NET is out of the question. I guess Culp feels controlling what the world is allowed to communicate about .NET is easier.
"First, let's state the obvious. All of these worms made use of security flaws in the systems they attacked, and if there hadn't been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written. This is a true statement, but it doesn't bring us any closer to a solution. While the industry can and should deliver more secure products, it's unrealistic to expect that we will ever achieve perfection. All non-trivial software contains bugs, and modern software systems are anything but trivial. Indeed, they are among the most complex things humanity has ever developed. Security vulnerabilities are here to stay."
In the above argument, Culp uses truth to validate fallacy. It's true that no code is perfect. It's false that security will improve by mandating gag orders.
More to the point, Microsoft is especially frustrated with flaws being exposed in their code. Frankly, I believe the hacks associated with Microsoft products differ fundamentally from the flaws discovered in Solaris and Linux. When a Linux exploit is discovered, hackers and maintainers consider it a design flaw. Therefore, exploits are generally fixed pretty fast on Linux -- usually within a few days. The same is true for Solaris.
Apparently however, Microsoft does not consider certain exploits to be design flaws. Sometimes, hackers simply leverage "features" (e.g. undocumented APIs) that Microsoft deliberately designed into their applications and/or systems.
Microsoft applications tend to execute arbitrary code. In other words, Microsoft deliberately empowers IIS, Exchange, Internet Explorer, Outlook and certain Office applications to execute unchecked commands fed over the Internet. Once hackers discover these (badly!) hidden APIs, it is only a matter of time before someone sends you an email which does something nasty to your computer.
Interestingly, despite these obvious security issues, Microsoft wants their programs to execute arbitrary code. Remember the Microsoft Word viruses? Remember the Excel viruses? Heck, email viruses were fiction until Exchange and Outlook...
Microsoft has had years of experience and feedback since the first MS-Word virus. Obviously, they understand the risks of allowing applications to execute arbitrary code. Nevertheless, they continue to build this ability into all their major products.
In fact, arbitrary code execution appears to be one of the core technologies behind Microsoft's
Culp states that vulnerabilities are here to stay. Most likely,
At this late stage, re-designing
I can't agree with Mr. Katz.
The rule of law in the United States is about the means, not the ends.
The US is founded on an axiomatic assumption that we all have rights. And the purpose of the government is to defend these rights -- or, from
point of view of the 18th century framers, to defend against tyranny.
In other words, the objective of the US government should be liberty and freedom from tyranny... not security.
In his book "The Secret Government", Bill Moyers interviewed a law professor (Edwin Firmage) regarding Iran/Contra. While answering a question regarding sacrificing certain rights to defend the US, Firmage had this to say:
"...any time we accept a reason of state argument to justify means that are totally incongruent with the values of our state, We're on the high road to tyranny and we deserve to be there."
I respect Mr. Katz's postion. However, if we forfeit our rights, I believe we forfeit the founding ideology of the United States. For me, it's just too big of a leap.
We should limit the means by which we achieve our ends. If the so-called "great experiment" is to succeed, the US must achieve its ends within the limits of preserving our rights.