|

Vulnerability - VulnDiscuss

Your Opinion

View: New views

3 Messages — Rating Filter: Alert me

	Your Opinion by NGSSoftware Insight Security Research-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I have heard the comment "It's a huge conflict of interest" for one company to provide both an operating platform and a security platform" made by John Thompson (CEO Symantec) many times from many different people. See article below. http://www2.csoonline.com/blog_view.html?CID=32554 In my personal opinion, regardless of the vendor, if they create an OS, why would it be a conflict of interest for them to want to protect their own OS from attack. One would assume that this is a responsible approach by the vendor, but one could also argue that their OS should be coded securely in the first place. If this were to happen then the need for the Symantec's, McAfee's of the world would some what diminsh. Anyway I am just curious as to what other people think. Thanks in advance Mark
	RE: Your Opinion by Scott Blake :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Wouldn't it be wonderful if we could have this discussion without mentioning the M-word? It seems to me that the OS vendor's ethical obligation is to produce the most secure platform they reasonably can and to fix any and all problems in it for free. Beyond that, lots of security problems exploit weaknesses in things other than the OS (like, say, the users) and there will always be a place (market?) for protection against those things regardless of how secure the OS platform is. Further, I'd bet that most of us are fans of defense in depth. Even if an OS was as secure as it could be and patches were free and ubiquitous, wouldn't it be prudent to layer something on top of that? If the OS vendor is acting ethically, following the obligations mentioned above, what difference could it make who produces the layered security product? The so-called conflict of interest arises from the perception, rightly or wrongly, that the OS vendor might be tempted to act in a less than ethical manner. If we presume ethics always and punish severely ethical lapses (which we should do regardless), it doesn't matter who produces the security platform. It would be most interesting to have a poll on this subject, both of the security community and the public at large. Scott -----Original Message----- From: Mark Litchfield [mailto:Mark@...] Sent: Friday, March 16, 2007 2:49 PM To: bugtraq@...; vulnwatch@...; full-disclosure@... Subject: Your Opinion I have heard the comment "It's a huge conflict of interest" for one company to provide both an operating platform and a security platform" made by John Thompson (CEO Symantec) many times from many different people. See article below. http://www2.csoonline.com/blog_view.html?CID=32554 In my personal opinion, regardless of the vendor, if they create an OS, why would it be a conflict of interest for them to want to protect their own OS from attack. One would assume that this is a responsible approach by the vendor, but one could also argue that their OS should be coded securely in the first place. If this were to happen then the need for the Symantec's, McAfee's of the world would some what diminsh. Anyway I am just curious as to what other people think. Thanks in advance Mark
	Re: Your Opinion by George Yobst :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Ummm, hhheeelllooo. Given the MS security history, Genuine Advantage (phone home), etc, would you really trust their decisions and software? I, for one, will be running Wireshark on any new MS implementations (when I get them). I do think it's applaudable that they are trying to increase security, but they have a long way to go yet (and trust is something that needs to be demonstrated, not dictated). -George PS - At least we're not talking about Oracle ;-) On Fri, 16 Mar 2007, Mark Litchfield wrote: \| I have heard the comment "It's a huge conflict of interest" for one company \| to provide both an operating platform and a security platform" made by John \| Thompson (CEO Symantec) many times from many different people. See article \| below. \| \| http://www2.csoonline.com/blog_view.html?CID=32554 \| \| In my personal opinion, regardless of the vendor, if they create an OS, why \| would it be a conflict of interest for them to want to protect their own OS \| from attack. One would assume that this is a responsible approach by the \| vendor, but one could also argue that their OS should be coded securely in \| the first place. If this were to happen then the need for the Symantec's, \| McAfee's of the world would some what diminsh. \| \| Anyway I am just curious as to what other people think. \| \| Thanks in advance \| \| Mark \| \| \| -- \| This message has been scanned for viruses and \| dangerous content by MailScanner, and is \| believed to be clean. \| \| --------------------------------------------------------------------------- George Yobst, Library Technology Analyst phone: 503.723.4890 Library Information Network of Clackamas County fax: 503.794.8238 16239 SE McLoughlin Blvd, Suite 208 web: http://www.lincc.lib.or.us Oak Grove, OR 97267-4654 email: george@... "...it is impossible for anyone to begin to learn what he thinks he already knows." - Epictetus