I guess we'll stay divided, but still, for the sake of the completion I want to clarify my argument. My point is, that some security decisions (for example, the "Tuesday patch" you mentioned), even if they are very wrong (and obviously, MS security guys would beg to differ) doesn't play a very big role in the overall security of your products. However good software engineering practices plays a big role, and MS is doing that big time, and putting a lot of resources for secure software development. So the question whether or not the Tuesday Patch is a good idea, and whether or not full disclosure is a good idea matters much less than the question whether or not they have security expert evaluating the security of each and every software signed by MS. About the complexity of Windows and backwards compatibility, it is indeed an issue which any company which develops for Windows need to handle with. I really don't see how is it related. Keep in mind that MS is making much more software than just the windows OS.
On Tue, May 11, 2010 at 8:49 PM, Gilboa Davara <gilb...@gmail.com> wrote: > On Tue, 2010-05-11 at 20:23 +0300, Elazar Leibovich wrote: > > Why do you think that MS believe in security by obscurity? I believe > > that security problems in MS products are generally speaking being > > released to the wild. > > Why I think MS products has better chance to be secure than your local > > Joe Software shop, because they're having strict policies which are > > supposed to enforce that: > > 1) The SDL development process, which includes fuzz testing the > > software specifically against security breaches. Every MS software > > must undergo that. Do regular software you use do? > > 2) Cryptography awareness. Every product which uses crypto must be > > authorized by a specialized crypto group. Crypto is a thing which is > > easy to create and hard to verify. Is Winzip encryption algorithm > > being reviewed by crypto expert? I'd rather know that the software I > > use had a strong peer review. > > Correct me if I'm wrong, but this two processes are hardly seen in > > other places of the software industry. > > ... I doubt that any of the above has anything to do with the points I > raised in my previous post, but never-mind, lets agree no to agree. > > - Gilboa > > > > > > _______________________________________________ > Linux-il mailing list > Linux-il@cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
