[Full-Disclosure] Re: Microsoft Coding / National Security Risk
mvp at joeware.net
Fri Mar 26 18:23:55 GMT 2004
I would hope the US government isn't using Windows in the way normal home
users are. And in fact having personally spoken with several folks from the
US Government and the US Military (US Army specifically which was
interesting...) in charge of this stuff this week at a conference I can
actually in fact say that they don't use Windows like normal home users. The
machines are locked down. I also spoke with someone with the Norwegian NSA
and can say they also don't run Windows machines like normal home users...
You can have people who don't know how to run Windows, Linux, VMS, or ANY OS
or RTS. Security is a function of the quality of the people responsible for
securing the boxes more so than the OS/RTS on the box.
Microsoft, imo, grew up in a time when added functionality was more critical
to user's purchase decisions than security. People wanted things to work
fully and completely out of the box and security was not something they were
asking for nor willing to pay additional for development of. MS acceded to
that and produced that product. Now that mindset has changed and MS is
working towards the new mindset. Obviously if they don't, product demand
would NATURALLY lessen for MS and whatever product was most secure (assuming
that is what users really want) would gain market share and win.
As much as people would not like to believe it, MS can not make a complete
crap product and have people continue to purchase it. Market economics does
not work that no matter how much leverage MS may or may not have. We can say
all day that the lack of security is the fault of Microsoft but it really
comes back to what people were spending money on. They weren't looking for
security. Some were sure and those folks took what MS gave and locked it
down because the ability to lock many things down has been there for a long
while, just not heavily done. I have been hardening Windows machines since
at least NT4 SP3.
From: full-disclosure-admin at lists.netsys.com
[mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of borg at hush.com
Sent: Wednesday, March 24, 2004 9:00 AM
To: full-disclosure at lists.netsys.com
Subject: [Full-Disclosure] Re: Microsoft Coding / National Security Risk
> But if our government (USA) was smart (and I know they are)
> they wouldnt rely on Microsoft products to protect their data.
Full-Disclosure is hosted and sponsored by Secunia.