Re: MS Windows Security Update CD now available

From: Hugh Candlin (no_at_spam.com)
Date: 02/19/04 

Date: Thu, 19 Feb 2004 15:16:57 -0800

Gerry Cornell <gcjc@btinternet.com> wrote in message news:#6o$m3y9DHA.1116@TK2MSFTNGP09.phx.gbl...
Gary

Your dialogue with Hugh and others was interesting to read <g>. May I single out part of one paragraph you wrote which, to me is the
best justification I have seen, as to why the CD will be helpful.

"I *do* see it as being extremely useful to anyone who is performing a clean install of older Windows systems. In fact, I suspect
that this CD will provide a way for persons to "over-install" an existing system, or "upgrade" from Win98 to 98SE, and be able to
restore their system to a state of sanity that until now was not usually possible after such procedures."

HC: That is true, and always was true, and was never disputed.
         While this dialog (Gerry), diatribe (Gary) or proposal (Hugh)
         has gone way beyond that, the original statement was intended
         to comment that users needed to be aware of the time decay
         inherent in the content of the CD.

Hugh's line "Security should be integrated into the product to the extent that Security
is the base component of the product, and the features of the product
are built upon and around that solid, secure, transparent foundation.

There is NO other way, and NO other way should be considered.
ANY suggestion that this cannot be done is baseless and irresponsible."

This is too puritanical for my taste. Changing "the" to an "a" before "base component"
 makes the first paragraph more palatable to me.

HC: While I reserve the right to change my mind once I have mulled that over,
         at the moment, I can live with that change.

With the benefit of hindsight I think Microsoft should have adopted Hugh's line on security
but regrettably they did not so we need to move on.

HC: I and many others had the benefit of foresight. Security of computer systems is
        and always has been a primary concern. Bill Gates was on the opposite side
        of the fence. He used a computer without authorization in his salad days.
        He had no concept of what security requirements were needed. I am not sure
        that he understands it today, judging by Microsoft's actions and also lack of remedial action.

To say Microsoft acted irresponsibly, in my view, goes too far

HC: Time out. Nobody said that.

as it presumes that Microsoft were or should have been aware of the dangers
and should have built in more security.

HC: While I didn't make the statement that you read into this,
         the presumption that you mention is indeed valid.

The cost to them of their mistake, in terms of loss of face and rectification costs,
must have been, and is continuing to be, colossal so one would hope / expect them
not to make the same mistake again.

HC: One would hope, if they know what to do and how to do it. They don't.
         Not in my humble opinion. Microsoft does not and never has understood
         the enterprise. Microsoft employees spend much of their time cloistered.
         They have no concept of reality in terms of the problems and issues faced
         by corporate employees and home consumers alike as they conduct their
         business and personal affairs on their business and personal computers.
         If they never get out on fact-finding missions to "learn the business",
         then how can they expect to solve the problems? 

--
~~~~~~
Regards.
Gerry
~~~~~~~~~~~~~~~~~~~~~~~~
FCA
gcjc@yesit.co.uk
Stourport, Worcs, England
Enquire, plan and execute.
~~~~~~~~~~~~~~~~~~~~~~~~
"Gary S. Terhune" <grystnews@mvps.org> wrote in message news:%23$93pow9DHA.1424@TK2MSFTNGP12.phx.gbl...
"Hugh Candlin" <no@spam.com> wrote in message news:%23gwJqfs9DHA.2316@TK2MSFTNGP11.phx.gbl...
>
> Gary S. Terhune <grystnews@mvps.org> wrote in message news:uH3aGzp9DHA.3816@tk2msftngp13.phx.gbl...
>
> Are you ready for a major "the way I see it" speech? Here it is--"The Way I See It", by Hugh Candlin.
Fair's fair, <s>.
>
> Security isn't something you dink around with, "solving" one problem at a time,
> until you get it right, because you are never going to get it right that way.
Ummm, Hugh... How long do you think folks are going to sit around and wait for this perfect OS to be developed? Solving one problem
at a time is what computer science is all about.  A computer system, secure or not, is worthless if it can't also perform tasks that
are requested of it, using the technology available, and within the environment that is currently extant. We all have perfectly
secure systems available to us. Pull the plug and you got one sitting right in front of you (so long as you can keep anyone else
from plugging it back in.) I do not know of *one_single* perfectly secure computer system in the entire world that actually does
anything or contains any data worth keeping "secure". So long as there is an interface with that data, it is not secure, almost by
definition.
>
> Security should be integrated into the product to the extent that Security
> is the base component of the product, and the features of the product
> are built upon and around that solid, secure, transparent foundation.
Dream on. "Solid, Secure, Transparent." Mutually exclusive conditions.
>
> There is NO other way, and NO other way should be considered.
> ANY suggestion that this cannot be done is baseless and irresponsible.
I do not consider myself irresponsible or lacking a base, and I categorically refute your premise. It CANNOT be done.
>
> If the current market leader cannot and/or will not accept that fact,
> then the market will turn away from them to someone who will.
There is no such system. Not even possible on paper. Thus there can be no such person or corporation, now or ever.
>
> Many years ago, Bill Gates publicly agonized over the possibility,
> that Microsoft would follow the normal corporate bell curve to oblivion.
>
> Or was it probability?
Probability, based upon simple understanding of business dynamics. Also irrelevant to the subject at hand.
>
> I could add a disclaimer here that, despite the probability that this missive will be
> perceived as a diatribe against Microsoft, nothing could be further from the truth.
Diatribe, yes. One which I suspect is born of understandable frustration. But if you insist on speaking in absolutes, you put most
realistic discussion beyond the pale.
>
> I am perfectly OK with Microsoft maintaining its position as the supplier
> of the #1 desktop operating system.  But right now, that position is up for grabs,
> and if Microsoft doesn't learn to innovate and think outside the box they are in,
> then change is inevitable.
Change is always inevitable. But I see nothing even remotely resembling your dream OS anywhere on the horizon (which I guess is to
be expected, since it's a mathematical impossibility.) Yup, the position is up for grabs, and always has been. And I don't see any
better candidates for an even reasonably "Secure System", anywhere. Not any that are also even remotely within the realm of
mass-production with braod consumer appeal.
>
> I could, but I won't.
If you could, I suspect you would. But can you at least establish some reasonable discussion points?
>
> It is easier to criticize me for being analytical than it is to address the fundamental flaws
> that need to be addressed.  And they WILL be addressed.
>
> It simply remains to be seen, by whom.
>
I see no real analysis, only diatribe. Sorry, Hugh. I like and respect you, but we've found your blind spot. Yes, systems that are
more secure will be developed, and paradigms will change, particularly those involving the definition and practice of computer
security. But in the end, the PC world is as close to being purely democratic as anything else I can think of--and you know what
they say about democracy.
--
Gary S. Terhune
MS MVP for Windows 9x

Relevant Pages

  • Re: Security and the User experience
    ... just one secure token. ... Microsoft, Apple, *nix can say all they like, but the consumer will simply ... implement any security and/or just have no clue about security on their PC. ... The OS will then query the authority whenever ...
    (microsoft.public.security)
  • RE: Users slam Microsoft Security Analyser
    ... please explain to me what you would consider "secure ... And a Security Guard. ... Now let's begin our review of Microsoft. ... Most hackers are succesful because of lazy Sys Admins, ...
    (Focus-Microsoft)
  • FW: Microsoft Strategic Protection Program
    ... Subject: Microsoft Strategic Protection Program ... Internet security is a worldwide issue that affects ... not just Microsoft's customers, but also anyone connected to the Internet- ... communicate how to secure customers' Microsoft environments. ...
    (NT-Bugtraq)
  • RE: Why Easy To Use Software Is Putting You At Risk
    ... FUD - Fear Uncertainty and Doubt is a common tool used by vendors to sell security. ... Is It Also Secure ... How many bugs are in the Microsoft Operating ... Microsoft developers. ...
    (Security-Basics)
  • Re: MS Windows Security Update CD now available
    ... If a computer system is not secure, ... A system administrator is a security risk. ... >> that Microsoft would follow the normal corporate bell curve to oblivion. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
Loading