Rattle wrote:

] Microsoft is not _not_ a good place to pull your security
] people from, IMHO. Granted, I know know jack about Schmidt,
] but Microsoft is the source of most of the security problems
] that threaten our network infrastructure. For Jah's sake,
] you'd be better off getting computer security people from the
] RIAA, they have been hacked a few times less then the average
] MS product..

I wanted to comment just on this one thought. First, regardless of what you think about MS in terms of product quality, business ethics, whatever... you cannot defendably state that their products are any less or more vulnerable to hacking and security breaches than any other computer 'system'. The reason why people site MS as vulnerable or 'doing a poor job' at security issues is because that's all the media focuses on. Particularly 'tech' media, like Slashdot et all.

First, MS products are by far the dominant market leaders in their category. There are simply more installations of them than any others. So when there is a weakness (ie. Slammer) then obviously there is going to be more damage. That's not MS's fault. If it were Linux or OS X that had market domination, people would still bitch.

Second, 99% of the vulnerabilities that get cited are crap. Things like stack smashes and buffer overrides are hardly new and are hardly vulnerabilities, since executing rogue code using these techniques is only theoretical. Read the CERT advisories. Even the people finding these vulnerabilities state that they are unable to execute code; just that the possibility theoretically exists.

Thirdly, I've been very impressed by MS's ability to patch things on a timely basis. Granted, they have not been the perfect example of admitting to certain things, nor have they the optimum toolsets necessary to patch things up (Windows update is not very well designed for managing large installations or automated operations). BUT, they don't suck. It's hard to blame MS on things like Slammer when the damn patch was available for 6 months.

Finally, modern systems are extraordinarily complex. Too complex perhaps. And so that is going to create weaknesses and vulnerabilities that no QA system will be able to keep up with. With the proliferation of digital technologies encompassing dozens of platforms and thousands of 'chunks', it's inevitable that there will be faults. Just like real life. While I think it's a good process to continue to pursue perfection, even though it's unattainable, the fact is that people like MS get shit on in the process through no fault of their own.

RE: Bush Approves Cybersecurity Strategy (TechNews.com)