Sunday, September 28, 2003

Security Steve

Well, as I was telling you the other day: I'm more and more on the hand of MS. But lo and behold - well, don't say that, the phrase is so popular there days that it becomes just noise in the background- now I just read this article above, where Microsofts's CEO Steve Ballmer compares hackers to skyscraper destroying terrorists showing absolutely no morale.

"Hackers are criminals," Ballmer says, plain and simple.

and another quote about the "criminals"

"There's no way to way to look these people as anything other than what they are: malicious people who are violating the law"

Unfortunately, this leaves no room at all to the interpretation that at least *some* so-called "criminals" serve the general public by announcing security holes. In the end, making software errors public, just forces software manufacturers to addressing security issues promptly, thereby preventing the exploitation in the future. Let's make a comparison: some
In the end this will make software more secure. I can draw no other conclusion that Mr. Ballmer must be a big fan of the principle of security by obscurity (correct me if I'm wrong). Well, there's an abundance of information about why this is a bad thing. For starters, read what Bruce Schneier has to say about this in his Cryptogram newsletters (worth reading!) or his book Secrets and Lies. It just does not work, and it is a dangerous way to just hide something secret in this digital age (thought added: well it will not work *in the end*, as there'll can / will always be someone reading your mind someway - and figuring out your cmd.exe resides in c:\mytools instead of the systemdir. I will not go into it any further, as I'll only do that when I'd have something new to tell you. Repeating what others have already said is only boring and not attributing anything to the discussion.

But we were talking about Microsoft. When they take the issue of security seriously, that is: are trying their best to make software more secure, they can only be happy with so many people finding security holes in their products. What I don't mean is that you should just write an exploit, release it on some hacker ftp site, and not tell the manufacturer about the issue. A reasonable amount of time should be given to them to fix the hole and subsequently release a patch to the general public