jamesd@echeque.com[SMTP:jamesd@echeque.com] wrote:

Microsoft, as a whole, is incompetent at security. All supposedly secure software coming out of Microsoft varies from poor to worthless. Does anyone doubt it? They take standard well known methods and make well known bungles in applying it and customizing it.

Microsoft's forte is making money. They do this by spending hugely on what people think they want (ease of use), and not wasting resources on things which do not impact market share. If MS ever decided that they were losing money due to poor security, they would get good at it, fast. How many fewer copies of WinXP will they sell due to Code Red I, II, and III? Not many. A few (a very few) sysadmins may decide to go with Apache instead of IIS. It's not like many home or corporate users are going to switch to Linux purely due to security issues. I hate to say this, but until software developers are held (at least at the corporate level) in some way liable for their failures, there will be little or no improvement in the situation.

We do not get to see much of the spook output. What we have seen in recent years is not good.

I'm aware of exactly two datapoints - Skipjack (which wasn't good enough that anyone wanted to use it), and the recent 'dual counter mode' snafu. That's not enough to draw broad conclusions.

During world war II the government sucked up all the best people from the open sector, and put them to work in the secret sector. For example most of the words greatest scientists wound up hand making nuclear weapons. However, one would expect, with the passage of time, that people who work in secret would suffer from Parkinson's law, and this appears to be happening.

[...]

Microsoft produces crap security because most of their customers do not know any better. Therefore NSA will produce crap security because their customers are forbidden to know any better.

MS makes crap because their customers buy it. If the customers (or their insurers) insisted on security, MS would do better. (BTW, MS's security rep is now so bad, that I know of security experts who would not work for them, due to the damage it would do to their reputations). I occasionally see the argument that NSA can't retain people due to the much higher salaries, etc, in the public sector. While I have no doubt that this is partially true, there are plenty of very good people who find that the non-tangible benefits - patriotism, a sense that one's work is important, that one is a trusted member of the inner circle and privy to secret knowledge - are more than enough to make up for a civil service paycheck. No one should discount these factors just because they don't move them themselves.

James A. Donald

Peter Trei