[funsec] fog of cyberwar
rsk at gsp.org
Sat Jan 23 15:54:09 CST 2010
On Sat, Jan 23, 2010 at 08:34:16AM +0200, Gadi Evron wrote:
> On 1/23/10 2:02 AM, Rich Kulawiec wrote:
> > Meanwhile, Microsoft has essentially unlimited personnel and financial
> > resources. They could hire 500 top-notch staff tomorrow, pay them
> > out of petty cash, and completely rewrite IE with security as the
> > overarching design goal -- if they wanted to. They could have done
> > so years ago -- if they wanted to.
> Microsoft has put a lot into securing its code, and is very good at
> doing so.
I think there's a big disconnect between that and:
> A whole month as the default response to patching a 0day? Really?
If they were actually interested in doing the right thing, and not
merely trying to be perceived as doing the right thing, then they
simply would not have allowed that month to elapse. First, they would
have been ready for it (this is not the first 0-day), and second, they
would have pushed The Big Red Button which summons all available and
applicable personnel to work the issue 24x7 until resolved.
Other entities/projects do this, sometimes with mixed results
(e.g. not-quite-fixes) but they're clearly making the effort.
I do not see this effort from Microsoft: their fastest response
seems to come from their well-paid professional spokesliars.
I'll also put it this way: suppose you're right. Suppose Microsoft
has put a lot into securing its code. Whatever they're doing...it's
not working very well. Because the number of zombies continues to
monotonically increase, just as it has for most of a decade. Once again,
if Microsoft was serious about security, they would be taking corporate
responsibility for all those zombies and undertaking massive (and very,
very expensive) remediation efforts. They're not. They won't. They don't
even want to be in the same room with any mention of that problem, and
will deny it, obfuscate it, minimize it, anything but admit it.
If what they're doing was going to work, it would have worked by now.
More information about the funsec