[lug] The other half of the story (was Wash Post:...)

Bear Giles bgiles at coyotesong.com
Thu May 23 09:33:21 MDT 2002


The other half of the story was on Slashdot a few days ago.
http://slashdot.org/article.pl?sid=02/05/20/2124248&mode=thread&tid=109

Allchin, group VP for platforms at Microsoft, told the federal court
deciding on anti-trust remedies that Microsoft code was so bad that
the proposed disclosure to competitors proposed by the states would
threaten national security.

This is from the same company that left a warship dead in the water
(with the emphasis on DEAD, if this were a combat situation) for hours
after a divide-by-zero error took down the entire system.

This is from the same company that is routinely plagued by viruses
that mail bits of random files - including at least some classified
documents - to strangers.

I'm sure there have also been a number of successful attacks that
we've never heard about.  Teenage hackers may get grounded if caught,
so they tend to be flashy and shallow.  Intelligence agents may be
executed if caught, so they tend to be a lot more focused and low-key.

I can't imagine that the senior Pentagon officials were pleased
with this statement.  A good analogy would be a gun that the 
manufacturer knows will blow up in the soldier's face when used 
certain ways, and this is something that the *enemy* can control
once they learn of the problem (e.g., by planting agents in the 
company, bribing or Seducing employees, or basic reverse engineering.
Nobody would ever tolerate that unless there was absolutely no
alternative available, but in this case Linux and *BSD have proven
themselves more than adequate.

The FBI has already visited Redmond to discuss Microsoft's sloppy
practices - the February "security cleanup" was almost certainly a
direct result of that meeting.... and the lack of *any* patches
issued despite tens of thousands of people spending a full month
looking for bugs even while Allchin admits that it's so bad that
disclosure would compromise national security is a damning indictment
of just how seriously they continue to take security.

I'm not surprised that Microsoft knows it's in a fight for its
life at the Pentagon.  I'm surprised that Allchin wasn't summoned
to the Pentagon or White House to be told that, since Microsoft
admitted in testimony in open court that it posed a threat to national
security, then an order was going out *today* to pull all Microsoft
code from every government computer.  Defense contractors would also
have to all Microsoft code, or lose their contracts.  If that caused
Microsoft to collapse as others followed suit, the country would
still be better served because the next generation of software
companies won't build up a $40,000,000,000 cash reserve while
leaving its customers swinging in the wind becasue they refuse to
take security seriously.  (Consider again the February Farce -
tens of thousands of developers spent an entire month working on
security issues, but nothing came out of it except for one minor
patch?!)

This may sound excessive, but imagine the fallout if someone takes
out an aircraft carrier or two because they where able to exploit
one of these bugs Microsoft admits exist.




More information about the LUG mailing list