[plug] [link] Choice quotes from Comdex security Panel
Leon Brooks
leon at brooks.fdns.net
Sat Nov 23 20:50:13 WST 2002
Quoting:
http://computerworld.com/securitytopics/security/story/0,10801,76049,00.html
Microsoft Corp., with its ballyhooed Trustworthy Computing initiative,
drew particular invective. "Microsoft is producing software that is
completely insecure," Schneier said, prompting scattered applause from
the audience. "The reason is there is no liability for producing a shoddy
product." If car makers produced vehicles that did not operate properly,
they would be held liable and sued, but the same doesn't happen with
software makers, Schneier said.
"Microsoft produces software that has three systemic flaws a week and
nothing happens to them," he said, adding that the company simply
releases patches and that's that. The Boeing Co., which makes airplanes,
"won't use Windows at all," he said, because the company is "playing in
the real world" where problematic software matters.
[...]
"The people who designed wireless protocols did a horrible job with
security," Schneier said, referring to WEP (Wired Equivalent Privacy)
and IEEE 802.11, which has been notoriously problematic from a security
standpoint.
[...]
Businesses want to deal with system security without government
interference because "the last thing you want to do is to fully expose
everything you're doing to protect yourself because this is a
cat-and-mouse game," he said. Some have called for government to force
businesses to reveal what they are doing to keep their networks secure.
Further complicating the issue of creating new laws and regulations is
that system administrators are already burdened and "can't get to
patches from last year," let alone figuring out how to comply with
additional federal requirements, Noonan said [KDE's 95-minute
turnaround on a Konqueror SSL vulnerability sprang to mind].
Asked to comment on the one thing that they either believe is a myth
about security or that they would like to see change, most panelists
said they want everyone to take responsibility for security, including
home users who need to insist that the software they buy have security
features.
Schneier had a different take, saying he wishes government and
companies would focus on "actual criminals and not hackers ... I think
we focus too much on the kids, on the spraypainting and not on the
actual crime," including those who break into systems and steal
information or otherwise cause havoc.
Cheers; Leon
More information about the plug
mailing list