Traceable Infrastructure is as vulnerable as traceable messa ges.

Trei, Peter ptrei at rsasecurity.com
Mon Aug 13 07:30:14 PDT 2001 

> jamesd at echeque.com[SMTP:jamesd at echeque.com] wrote:
> 
> Microsoft, as a whole, is incompetent at security.  All
> supposedly secure software coming out of Microsoft varies from
> poor to worthless.  Does anyone doubt it?   They take standard
> well known methods and make well known bungles in applying it and
> customizing it.
> 
Microsoft's forte is making money. They do this by spending hugely on
what people think they want (ease of use), and not wasting resources on
things which do not impact market share. 

If MS ever decided that they were losing money due to poor security, 
they would get good at it, fast. How many fewer copies of WinXP will
they sell due to Code Red I, II, and III? Not many. A few (a very few) 
sysadmins may decide to go with Apache instead of IIS. It's not like
many home or corporate users are going to switch to Linux purely
due to security issues.

I hate to say this, but until software developers are held (at least at the
corporate level) in some way liable for their failures, there will be little
or no improvement in the situation. 

> We do not get to see much of the spook output.  What we have seen
> in recent years is not good.
> 
I'm aware of exactly two datapoints - Skipjack (which wasn't good enough
that anyone wanted to use it), and the recent 'dual counter mode' snafu.
That's not enough to draw broad conclusions.

> During world war II the government sucked up all the best people
> from the open sector, and put them to work in the secret sector.
> For example most of the words greatest scientists wound up hand
> making nuclear weapons.   However, one would expect, with the
> passage of time, that people who work in secret would suffer from
> Parkinson's law, and this appears to be happening.
> 
	[...]

> Microsoft produces crap security because most of their customers
> do not know any better.  Therefore NSA will produce crap security
> because their customers are forbidden to know any better. 
> 
MS makes crap because their customers buy it. If the customers
(or their insurers) insisted on security, MS would do better. (BTW, 
MS's security rep is now so bad, that I know of security experts 
who would not work for them, due to the damage it would do to 
their reputations).

I occasionally see the argument that NSA can't retain people due
to the much higher salaries, etc, in the public sector. While I have
no doubt that this is partially true, there are plenty of very good
people who find that the non-tangible benefits - patriotism, a sense
that one's work is important, that one is a trusted member of
the inner circle and privy to secret knowledge - are more than 
enough to make up for a civil service paycheck. No one should 
discount these factors just because they don't move them 
themselves.

>          James A. Donald
> 
Peter Trei

More information about the cypherpunks-legacy mailing list