RE: Your Opinion

Wouldn't it be wonderful if we could have this discussion without mentioning
the M-word?

It seems to me that the OS vendor's ethical obligation is to produce the
most secure platform they reasonably can and to fix any and all problems in
it for free. Beyond that, lots of security problems exploit weaknesses in
things other than the OS (like, say, the users) and there will always be a
place (market?) for protection against those things regardless of how secure
the OS platform is.

Further, I'd bet that most of us are fans of defense in depth. Even if an
OS was as secure as it could be and patches were free and ubiquitous,
wouldn't it be prudent to layer something on top of that? If the OS vendor
is acting ethically, following the obligations mentioned above, what
difference could it make who produces the layered security product?

The so-called conflict of interest arises from the perception, rightly or
wrongly, that the OS vendor might be tempted to act in a less than ethical
manner. If we presume ethics always and punish severely ethical lapses
(which we should do regardless), it doesn't matter who produces the security
platform.

It would be most interesting to have a poll on this subject, both of the
security community and the public at large.

Scott


-----Original Message-----
From: Mark Litchfield [mailto:Mark@xxxxxxxxxxxxxxx]
Sent: Friday, March 16, 2007 2:49 PM
To: bugtraq@xxxxxxxxxxxxxxxxx; vulnwatch@xxxxxxxxxxxxx;
full-disclosure@xxxxxxxxxxxxxxxx
Subject: Your Opinion

I have heard the comment "It's a huge conflict of interest" for one company
to provide both an operating platform and a security platform" made by John
Thompson (CEO Symantec) many times from many different people. See article
below.

http://www2.csoonline.com/blog_view.html?CID=32554

In my personal opinion, regardless of the vendor, if they create an OS, why
would it be a conflict of interest for them to want to protect their own OS
from attack. One would assume that this is a responsible approach by the
vendor, but one could also argue that their OS should be coded securely in
the first place. If this were to happen then the need for the Symantec's,
McAfee's of the world would some what diminsh.

Anyway I am just curious as to what other people think.

Thanks in advance

Mark

Relevant Pages

  • Re: Opinion: I was just trying to sell OpenVMS
    ... and the open internet and you can run whatever platform you like. ... Anybody that thinks that windows is secure, will indeed be getting a very nasty surprise. ... M$ windows is insecure and security was never part of the original design. ... Got a virus right off the bat within a 1/2 hour. ...
    (comp.os.vms)
  • Re: Opinion: I was just trying to sell OpenVMS
    ... and the open internet and you can run whatever platform you like. ... Anybody that thinks that windows is secure, will indeed be getting a very nasty surprise. ... M$ windows is insecure and security was never part of the original design. ... However, VMS could have the same type of exploits, and if you run with privs, and execute some maleware, it could be just as bad as windoz. ...
    (comp.os.vms)
  • Anyone Using CP "Secure Platform"
    ... We are considering upgrading our FW from Solaris/4.1 to Secure ... Platform install may prefer one vendor over the other. ...
    (comp.security.firewalls)
  • Re: Patch 4/6 randomize the stack pointer
    ... > Real engineering is about doing a good job balancing different issues. ... this is true of real security too. ... Being too strict "because it's the secure way" just means that people will ... Maybe a vendor might care about not breaking existing ...
    (Linux-Kernel)
  • Re: Left luggage at Manchester Piccadilly?
    ... Or have they closed due to security concerns? ... I believe its still open on Platform 10 ... I have used it twice recently. ... It appears safe and secure, ...
    (uk.railway)