Moogie
05-21-2002, 01:19 PM
It appears to me that a senior MS exec really, really put his foot in the pie! This excerpt is from the page ( of Robert Thompson, a noted writer on technology issues, and author of "PC Hardware in a Nutshell"). I saw the relevant testimony in the SJ Merc/News, but hadn't followed my initial "Hoo-boy did HE step in it" thought to it's logical conclusion.
Just for instance - the first time someone's personal medical data gets divulged by these security flaws, AND this guy's sworn testimony is cited in a law-suit, MS is going to have to pay out a bunch of loot (eventually).
= = = = EXTRACT = = = =
Certainly, the fact that Windows has had and is likely to continue to have gaping security holes comes as no surprise to anyone, but the key issue here is that Microsoft appears to be admitting in sworn testimony that Windows itself is inherently insecure and cannot be fixed. If that is the case, how can any organization, whether a private company or a government agency, do anything other than migrate away from Microsoft software as quickly as possible? To take any other course may open that organization to huge liability settlements if their data are compromised. How an any company argue that they took reasonable and prudent measures to secure the data with which they were entrusted if they continue using Microsoft software? I don't know. I'm not a lawyer (Thor be praised!) but I suspect there are many lawyers just waiting to jump on this.
In effect, Microsoft is arguing that security-by-obscurity is good enough, but anyone who understands anything about software security knows that is not true, particularly for software as ubiquitous as the Windows operating systems. Even if it were true, the simple fact is that Microsoft has no obscurity. They'd like us to believe that their source code is unavailable to would-be crackers, but the truth is that thousands of people inside and
outside Microsoft have access to the source code. Anyone who wants access to that source code badly enough already has access or could get it by fair means or foul. So in effect what Microsoft is saying is:
a. From a security standpoint, Windows is too badly broken to be fixed.
b. As long as our source code remains undisclosed, everyone is safe
c. Oh, by the way, there are thousands of people inside and outside the US that have access to part or all of our source code.
From that, it would appear that the inevitable conclusion is that Windows is too badly broken to be fixed, that none of us are safe, and that the only responsible decision is to migrate from Windows to a more secure operating system as soon as possible. Some have suggested that one possible answer would be for Microsoft to convert Windows to Open Source and allow hordes of
skilled OSS programmers to fix it. I'm afraid that wouldn't work, though. By all accounts, Windows is a complete mess, so I'm afraid the same thing would happen that happened with Mozilla. The original plan was to use Netscape code as the basis for Mozilla, but after a time-consuming false start, the Mozilla group finally reached consensus that it would be easier just to scrap the Netscape code and start from scratch.
So it seems that by Microsoft's own sworn testimony Windows is fatally flawed. Or am I missing something?
Just for instance - the first time someone's personal medical data gets divulged by these security flaws, AND this guy's sworn testimony is cited in a law-suit, MS is going to have to pay out a bunch of loot (eventually).
= = = = EXTRACT = = = =
Certainly, the fact that Windows has had and is likely to continue to have gaping security holes comes as no surprise to anyone, but the key issue here is that Microsoft appears to be admitting in sworn testimony that Windows itself is inherently insecure and cannot be fixed. If that is the case, how can any organization, whether a private company or a government agency, do anything other than migrate away from Microsoft software as quickly as possible? To take any other course may open that organization to huge liability settlements if their data are compromised. How an any company argue that they took reasonable and prudent measures to secure the data with which they were entrusted if they continue using Microsoft software? I don't know. I'm not a lawyer (Thor be praised!) but I suspect there are many lawyers just waiting to jump on this.
In effect, Microsoft is arguing that security-by-obscurity is good enough, but anyone who understands anything about software security knows that is not true, particularly for software as ubiquitous as the Windows operating systems. Even if it were true, the simple fact is that Microsoft has no obscurity. They'd like us to believe that their source code is unavailable to would-be crackers, but the truth is that thousands of people inside and
outside Microsoft have access to the source code. Anyone who wants access to that source code badly enough already has access or could get it by fair means or foul. So in effect what Microsoft is saying is:
a. From a security standpoint, Windows is too badly broken to be fixed.
b. As long as our source code remains undisclosed, everyone is safe
c. Oh, by the way, there are thousands of people inside and outside the US that have access to part or all of our source code.
From that, it would appear that the inevitable conclusion is that Windows is too badly broken to be fixed, that none of us are safe, and that the only responsible decision is to migrate from Windows to a more secure operating system as soon as possible. Some have suggested that one possible answer would be for Microsoft to convert Windows to Open Source and allow hordes of
skilled OSS programmers to fix it. I'm afraid that wouldn't work, though. By all accounts, Windows is a complete mess, so I'm afraid the same thing would happen that happened with Mozilla. The original plan was to use Netscape code as the basis for Mozilla, but after a time-consuming false start, the Mozilla group finally reached consensus that it would be easier just to scrap the Netscape code and start from scratch.
So it seems that by Microsoft's own sworn testimony Windows is fatally flawed. Or am I missing something?