V.i. Labs on MSFT Insecurity
Thomas Ptacek | June 29th, 2006 | Filed Under: Industry Punditry
Microsoft has gotten a bad rap with its software problems, and deservedly so, says David Pensak, CTO [of V.i. labs] “But they have a lot of fundamental design problems in their software… They made some [poor] decisions before people understood how evil the hackers are,” he says.
Do these guys have anything real to say? Microsoft spends more on security in a quarter than the research community will spend all year. How evil the hackers are? How about, how unbelievably hard it is to get a computer to do exactly what you want it to, under all conceivable circumstances, and nothing else?
Byron Sonne
June 30th, 2006 10:07 amAnd spending tons of money means… what exactly?
Thomas Ptacek
June 30th, 2006 10:11 amIn our economy, a company can exchange money for goods and services, such as the attention and advice of the best vulnerabilty researchers in the field.
Josh Daymont
June 30th, 2006 11:37 amByron
There is no doubt that Msft is pulling out the stops on securing it’s code. People who have been in this industry a long time and thought that the mister softies “would just never get it” back in the 90’s have been proven wrong. They have gotten really savvy at sourcing security talent, which is usually the most difficult part of the process. That doesn’t mean they are above average in using the talent they get, but chances are they’ll improve in that area over time as well.
None of this means people will stop finding ways to exploit microsoft products, that’s just not in the cards given the realities of building software today. But if you think those corporate and middle management types in Redmond still have their heads in the sand you are wrong.
Regarding the VI story:
As for microsoft design decisions, it’s easy to argue that they do not optimize design decisions for security because they don’t. They optimize those decisions for lots of things *including* security. If windows was purely a security product it would stop being an operating system and people would stop using it — whether is was bundled with their PC or not.
Thomas Ptacek
June 30th, 2006 12:07 pmI want to add: Byron, don’t get me wrong, I’m thrilled that you’re casting yourself in the “Dogmatic Skeptic” role, and I’ll give you the benefit of the doubt that the “Dogma” part is something you’re playing to make the argument interesting.
So, with us both back “in character”, what is it that makes you think security is not for sale? I mean, you work for a security vendor.
Rob
July 5th, 2006 10:03 amAddressing -Pensak- in this post!!!
“Microsoft has gotten a bad rap with its software problems, and deservedly so”
Hey mate, Microsoft cater for most people on the planet. There are probably more hackers and crackers developing on Windows than there are users for any of the other other systems. The bad rap comes from people like this you.
Get real and smell the fish..
“But they have a lot of fundamental design problems in their software… They made some [poor] decisions before people understood how evil the hackers are,”
Are you mental, mate? ALL systems have “fundamental design problems” (even you Pensak) otherwise there wouldn’t be much need for more than one system, now would there? It’s called evolution.
And “before people understood”? Where were you born? Eden? Hellllooooo… What part of the words hacker or cracker needs to be “understood”? Any system needs to be secure (and yes, again, even you), everyone knows that. You do the best you can with what you got. So did they.
Anyways, considering my first statement… I’d say that MS decisions so far, has been acceptable. Hence the user base, no?
Leave a reply