Re: [Full-Disclosure] M$ - so what should they do?
tcleary2_at_csc.com.au
Date: 06/22/04
- Previous message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] M$ - so what should they do?"
- Maybe in reply to: Michael Schaefer: "Re: [Full-Disclosure] M$ - so what should they do?"
- Next in thread: Eric Paynter: "Re: [Full-Disclosure] M$ - so what should they do?"
- Reply: Eric Paynter: "Re: [Full-Disclosure] M$ - so what should they do?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Tue, 22 Jun 2004 11:09:42 +0800
Valdis Kletnieks said:
>It's not as simple as "throw it out and start again" - what's feasible
for a
>student's semester project or a small company's small software package
isn't as
>feasible when it's one of the largest sets of intertwined code ever
written....
And that's the main point - the enemy of security isn't any given
company/package/platform.
It's complexity.
Complexity guarantees that there will be flaws, that might be exploited,
in any product.
The only products with no reported vulnerabilities are small, low use
products, and the main reason there aren't any reports is no-one's
bothered to look.
It's a principle that no matter how much effort is put into attempting to
achieve perfection, not just "six sigmas", it can't be achieved.
Without perfection no-one, not just Business, can risk a monoculture (
just ask the U.S. Wheat farming industry )
'Cos this isn't medicine, where "acceptable losses" can be estimated - who
could guess the impact from a code flaw in the root servers? Or base code
for HTTP handling? Or the privilege handling code in Windows?
I believe Microsoft are making genuine efforts to improve their code.
But even with billions in the bank to spend on it, they can't make it
perfect.
And in order to trust that their code can run EVERYTHING, that's what it'd
have to be.
The corollary, of course, is that I.T will become more expensive because
people will have to bite the bullet and get people with more than one
skillset, or more people.
Of course, they could outsource...... ;-)
Regards,
tom.
----------------------------------------------------------------------------------------
Tom Cleary - Security Architect
"In IT, acceptable solutions depend upon humans - Computers don't
negotiate."
----------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit
written agreement or government initiative expressly permitting the use of
e-mail for such purpose.
----------------------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] M$ - so what should they do?"
- Maybe in reply to: Michael Schaefer: "Re: [Full-Disclosure] M$ - so what should they do?"
- Next in thread: Eric Paynter: "Re: [Full-Disclosure] M$ - so what should they do?"
- Reply: Eric Paynter: "Re: [Full-Disclosure] M$ - so what should they do?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
