> > What the hell are the people at Micro$oft somking !?! It seems this is
> > another poor attemp at dammage control for all the bug's and security
> > that people discover in their software. I geuss if you can't clean up
> > code then you should blame the guy who found the bug/security loop hole
> > you !?!
M$ are just spewing their usual selfish, arrogant propaganda in order to
pass the buck.
Refusing to admit liability for failures in ones own product, should be a
Following their logic then, as an analogy - companies should not be allowed
to advertise their prices, because it encourages other companies to undercut
them. Or how about - road safety organisations should not be allowed to
publish car safety records, because it exposes weaknesses in certain car
Of *course* M$ are going to react that way, that's how all self-serving,
monopolistic fascists react.
For the benefit of any M$ advocate reading this (the poor folk need all the
help they can get) let me spell it out for you. Security vulnerabilities are
discovered and taken advantage of regardless of whether or not those
vulnerabilities are publicly exposed. It isn't until they *are* publicly
exposed that those security holes become a high enough priority for
ill-motivated companies like M$ to plug them.
With OpenSource and GPL software there is no "market position" or financial
considerations to worry about, therefore "working code" is the highest
priority. Also because of the nature of OpenSource, an infinite number of
developers are testing for security loopholes (amongst other things) in an
*open* environment. It is this kind of environment that M$ is cruising.
Having thousands of people bashing away at their systems looking for
vulnerabilities - is too much like the OpenSource model for their taste,
they don't want anyone touching their code except in the capacity of a
"point and drool user" who, presumably, is more than happy to have his
system destroyed by viruses, and have Trojans broadcasting his credit card
details to the Russian mafia. If you want to develop, pay M$ thousands of
dollar$ for the privilege - then be prepared to submit to their iron will
and draconian policies, if not ... get out. Screwing up is one thing,
complaining that someone noticed it and then exposed it - is another. That's
just criminal. Well who are we to argue with the DOJ :)
> MS admits that security needs to get better. But likewise, they are also
> acknowledging that even patched vulnerabilities are still a problem on
> unpatched systems if exploit code is posted (sometimes years after the
In other words, they know there's a problem, they just can't be bothered
fixing it. To reiterate the point again, just because nobody exposes the
weakness, it does not mean the weakness doesn't exist. Are you suggesting we
should all behave like Ostriches, and just stick our heads in the sand.
Security problems need to be *fixed*, not ignored.
Quote:> Many believe the pain of exploiting unpatched systems is worth forcing
> the users to patch them. Others do not. ...
What possible reason could their be for *not* exposing (and subsequently
fixing) a security problem?
Quote:> However, in the case of Ramen, the one major worm that effected Linux,
> exploit code had been published prior to its creation. Coincidence?
Er ... no. I would describe that as a "development cycle". A little harsh
perhaps, forced - definitely, but none the less ... a development cycle.
Quote:> This isn't a new argument. Many experts have been arguing both sides of
> this for years.
Presumably with the money-grabbing financiers on one side of the argument,
and the actual software engineers on the other?
I have M$ Windows running here now. If I'm such an opponent of M$, why would
I infect my system with one of their viru... ahem ... Operating Systems?
1) ... As Michael Corleone would say - keep your friends close, but keep
your enemies closer
2) ... I can't very well argue about something of which I have no
3) ... I'm a Pseudo Sado-*, who enjoys reverse engineering lamers
code to expose it's weaknesses ... probably.