RE: [SC-L] Any software security news from the RSA conference?

2004-03-01 Thread Alun Jones
 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of ljknews
 Sent: Friday, February 27, 2004 9:51 AM
 
 You must be thinking of a different Bill Gates than the one familiar
 to me.  I am thinking of the one who announced a few years ago that
 Microsoft would stop other activities for a month and fix 
 their security.

I wonder if this is the same Bill Gates who then doubled that time off new
development (note - he doesn't talk about security as a finished job), and
mandates the reading of the book Writing Secure Code, amongst other
things.

But Bill isn't the only person at Microsoft, and it's really important that
a large number of people at Microsoft get it.  Bill's job, when he turns
up to these things, is essentially to say whatever Microsoft's game plan is,
currently, not to impress us that he has found religion.  What's key is the
number of other people within Microsoft that get security.  As a Security
MVP, I get to spend time with some of these people, and they really do seem
to have a clue - I should know, I fill their inboxes with whatever my latest
pontifications on security are, and I read the responses I get back very
carefully.

Microsoft has a lot of code to contend with, and much of it is old - so a
lot of it has had to be scrubbed clean of imperfections, and some has had to
be re-written.  And yet, they're actually _doing_ it.  How many people are
howling about the decision to remove the non-RFC http format that's used by
so many scammers and spammers?  How many people are going to howl that
enabling the firewall by default in SP2 makes life harder for them?  There
are some very tough decisions being made in the right direction here, I
think.

Alun.

-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | [EMAIL PROTECTED]
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.






RE: [SC-L] Any software security news from the RSA conference?

2004-03-01 Thread ljknews
At 5:58 PM -0600 2/27/04, Alun Jones wrote:

Microsoft has a lot of code to contend with, and much of it is old - so a
lot of it has had to be scrubbed clean of imperfections, and some has had to
be re-written.

A few years ago I heard the problem described as the opposite - that for
Windows V.something about 30% of the existing code was entirely replaced
(compared to corrected), which is more than _any_ organization can handle
safely on a project of that size.