|
||||||||||
|
||||||||||
This is an unofficial archive site only. It is no longer maintained.
You can not post comments. You can not make an account. Your email
will not be read. Please read this
page or the footnote if you have questions. |
||||||||||
Microsoft has taken a lot of crap over the years about its buggy software. It's not really necessary to to talk about all the recent articles about the latest bug report regarding Microsoft software. Hell, that's a story we've all heard time and time again.
However, Microsoft hoped to put a lot of the mud slinging to rest some time ago when it announced that it would be more security concious. I'm sure many of you have heard of the Microsoft initiative called Trustworthy Computing. |
|||||||||||||||
So what exactly is it? Well to understand that you have to understand something else. It goes a little like this. Microsoft liked to throw temper tantrums anytime a person, group, organization or even one of its corporate clients found problems with MS software. It was later agreed in order for Microsoft to save face (having built quite a rep as a big whining baby) that anyone finding a bug/hole/exploit in MS software, having notified MS must give the software giant 2 weeks.
These 2 weeks are supposed to give the the software giant time to assess the problem and to issue or at least begin developing a patch. After 2 weeks whoever made the discovery can talk about it all they want. Sometimes though MS still likes to whine if it has yet to solve the problem. This was the case when eEye Digital Security decided to go public regarding the problems with UPnP. Microsoft claimed that the company failed to give them enough time. Numerous news article flooded the web. Here's a snipet from one such article. In none of the interviews regarding the UPnP situation has Culp admitted that Eeye did the responsible thing by informing Microsoft and waiting for the fix to be available from Microsoft before releasing information on this critical exploit to the internet community, something many folks in the security community (all outside of Microsoft) consider 'responsible disclosure.' According to reports, it took Microsoft nearly two months to release a patch after learning of the exploit. While Eeye's actions were praiseworthy, I wouldn't wait so long before mentioning such a critical security problem to the community. -- The Register, "Who Needs Hackers When We've Got MS?"So what does this have to do with the Trustworthy Computing initiative? What is it exactly? Let me explain. Trustworthy Computing is supposed to be a way for Microsoft to win some brownie points by cleaning up its software and making sure it's the most secure and stable thing out there. No longer would software ship with every feature enabled by default. What it turns out to be is nothing more than Bill Gates (who supposedly coined the phrase according to Bill himself) blowing smoke up our asses. Trustworthy computing turns out to be nothing more than than a PR campaign from Bill and Company. It makes Microsoft look as though they are really concerned about security when they're really not. A recent article from The Register talks about the newest round of security holes in IIS. If you're wondering why you haven't heard about them before, chalk it up to Trustworthy Computing, a Redmond policy which leaves everyone exposed to attack until MS is satisfied with its patches and spills the beans. We prefer to know these things as soon as possible so we can look into temporary workarounds and shutter the window of opportunity straight away, but MS is clearly opposed to that approach. (One workaround we rather like is called Apache, but we digress....)While the last incident involving the Microsoft/Unisys Anti-Unix campaign was rather funny and irritated many (and the numerous articles which followed, and even a really good parody), this one takes the cake. If really shows that Microsoft products are nothing but flash. If you can't make it good, at least make it look good. -- Bill Gates |