Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

["David F. Skoll" <dfs@roaringpenguin.com>]

On Thu, 15 Jan 2004, Mary Landesman wrote:

> This anti-MS drivel is so tiresome.

I'm sorry you find the truth tiresome.  Heck, Dan Greer got fired for
speaking the truth -- that's pretty tiresome for him.

I agree that security is not a product, it's a process.  I agree that
every product has its security problems.

But by ignoring the HUGE security problems with Microsoft, we're doing
everyone a disservice.  By ignoring the vast differences in openness
and responsiveness of open-source vendors to security problems compared
to Microsoft's responsiveness, we're denying reality.

The fact is that Windows is fundamentally insecure.  To give just one
example, encoding meta-data in filenames (eg: .exe means "executable")
is a monstrous design mistake that has cost the economy billions by
allowing virus propagation.  That design mistake is impossible to fix
without fundamentally changing Windows.  It's in a completely different
league from "bugs" like buffer and heap overflows.  It's a "design flaw",
not a "bug".

While security is a process, not a product, you'll find that very often,
insecurity of a product is something that no process can fix.

--
David.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html