|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: off-topic rant Re: product liability (was: Virus Update)
On Tue, 09 May 2000 19:16:52 EDT, brad reynolds <[email protected]> said: > microsoft doesn't hold a gun to anyone's head, microsoft seems to provide > patches for their software when bugs are found. The problem is not that they provide or don't provide patches when a bug is found. The problem is that although the MIME working group *SAW* the danger of executable attachments in 1991, a decade later, we still have software that ignores the specific recommendations the original MIME spec made (namely, the default setting is to allow execution). The biggest problem is that although it can be a pain in some assorted body parts to fix a bug in the implementation of a secure design, the pain of trying to patch a broken design is worse - that's just simple Software Design 101. The earlier in the design cycle a problem is found, the easier it is to fix. Case in point: How many Java security bugs have there been? And how many JavaScript security bugs? Which package was designed from the ground up to be secure and sand-box-able? In today's Internet, there is no excuse for trying to substitute patch-upon-patch as a valid security model instead of starting from a known secure design. No Excuse. None. Zip. And for the record, a federal court judge has ruled that Microsoft *did* in fact hold a gun to somebody's head. That's what the entire anti-trust suit was about.... We now return you to your regularly scheduled backhoe or misconfigured router incident.... Valdis Kletnieks Operating Systems Analyst Virginia Tech
|