[plug] [link] Choice quotes from Comdex security Panel

Leon Brooks leon at brooks.fdns.net
Sat Nov 23 20:50:13 WST 2002 

Quoting:

http://computerworld.com/securitytopics/security/story/0,10801,76049,00.html

    Microsoft Corp., with its ballyhooed Trustworthy Computing initiative,
    drew particular invective. "Microsoft is producing software that is
    completely insecure," Schneier said, prompting scattered applause from
    the audience. "The reason is there is no liability for producing a shoddy
    product." If car makers produced vehicles that did not operate properly,
    they would be held liable and sued, but the same doesn't happen with
    software makers, Schneier said.

    "Microsoft produces software that has three systemic flaws a week and
    nothing happens to them," he said, adding that the company simply
    releases patches and that's that. The Boeing Co., which makes airplanes,
    "won't use Windows at all," he said, because the company is "playing in
    the real world" where problematic software matters.

    [...]

    "The people who designed wireless protocols did a horrible job with
    security," Schneier said, referring to WEP (Wired Equivalent Privacy)
    and IEEE 802.11, which has been notoriously problematic from a security
    standpoint.

    [...]

    Businesses want to deal with system security without government
    interference because "the last thing you want to do is to fully expose
    everything you're doing to protect yourself because this is a
    cat-and-mouse game," he said. Some have called for government to force
    businesses to reveal what they are doing to keep their networks secure.

    Further complicating the issue of creating new laws and regulations is
    that system administrators are already burdened and "can't get to
    patches from last year," let alone figuring out how to comply with
    additional federal requirements, Noonan said [KDE's 95-minute
    turnaround on a Konqueror SSL vulnerability sprang to mind].

    Asked to comment on the one thing that they either believe is a myth
    about security or that they would like to see change, most panelists
    said they want everyone to take responsibility for security, including
    home users who need to insist that the software they buy have security
    features. 

    Schneier had a different take, saying he wishes government and
    companies would focus on "actual criminals and not hackers ... I think
    we focus too much on the kids, on the spraypainting and not on the
    actual crime," including those who break into systems and steal
    information or otherwise cause havoc.

Cheers; Leon

More information about the plug mailing list