Bruce Schneiers CRYPTO-GRAM February 15, 2002



Hi,

the new CRYPTO-GRAM from Bruce Schneier is out
(http://www.counterpane.com/crypto-gram.html) and contains some
interesting analysis on the changed attitude of Microsoft in terms of
security. It also contains analysis of the most critical security flaws of
Microsoft technology including .NET. I think it's pretty relevant to Linux
desktops like Gnome and KDE, as well...

Some quotes:

"Microsoft has compounded the problem by blurring the distinction between
the desktop and the Internet.  This has led to numerous security
vulnerabilities, based on different pieces of the operating system using
system resources differently.  Microsoft should revisit these design
decisions."

It's the same direction both KDE and Gnome are taking, as well...

"Implementation of Microsoft SOAP, a protocol running over HTTP precisely
so it could bypass firewalls, should be withdrawn.  According to the
Microsoft documentation: "Since SOAP relies on HTTP as the transport
mechanism, and most firewalls allow HTTP to pass through, you'll have no
problem invoking SOAP endpoints from either side of a firewall."  It is
exactly this feature-above-security mindset that needs to go.  It may be
that SOAP offers sufficient security mechanisms, proper separation of code
and data.  However, Microsoft promotes it for its security avoidance."

No further comment :-)

"Security isn't easy, nor is it something that you can bolt onto a product
after the fact.  Making security Microsoft's first priority will require a
basic redesign of the way the company produces and markets software.  It
will involve a difficult cultural transition inside Microsoft.  It will
involve Microsoft setting aside short-term gains in order to achieve
long-term goals.  It's a difficult goal, and we believe that Microsoft can
do it.  We hope that they remain committed."

I hope both KDE and Gnome remains committed to the same goal, as well.

--jochen




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]