Comments on: Inviting the hackers inside

Aiming to be more open, Microsoft reaches out to the security research community it once kept at a distance.

[Kings X Rocks!]

Warm and fuzzy...

Microsoft cares. They just have too many deadlines to meet to get products/updates out the door...and probably too many coders to be able to manage competently. Never a dull moment (except when vista locks up doing a large copy from a server!!)

[MShipley]

Windows security

The thing is that Microsoft would have to scrap every bit of code
in their crummy OS and start over from scratch to build anything
that is even anywhere as close to secure as Mac OS X.

Either that or continue to patch, spit and smooth things over to
make a bigger mess than they have now.

[3rdalbum]

lol

Mr Shipley, there are some quite fundamental problems with Apple's attitude toward security. The programmers who work on the upper layers of Mac OS X are a bunch of hackers in the 1980s sense: They do whatever possible to get their code running. Even if that means violating the Unix-like security system.

Apple touts the benefits of its "Industrial-Strength Unix" while constantly trying to subvert it. Have you ever used the Repair Permissions tool? The fact that OS X users have to "repair permissions" every so often is a symptom of this. The Darwin base is doing what it's designed to do in a Unix-like manner, and the upper layers are doing things in a quick-and-dirty direct way. The two different methods clash, and it's a miracle that OS X actually ends off being as stable as it is. I was also surprised to hear about the firewall problems in Leopard - I didn't think something like those would actually go unnoticed, but I guess the culture at Apple has spread to its QA and testing departments.

I have grave misgivings over the security of this ugly programming style. If Apple really wants to bring security to the Mac OS, it needs to employ actual Unix-trained people who know how to work WITH a Unix system, instead of working AGAINST it. The effect of this would be the dumping of all the code Apple has written since the late 90s, and directly using upstream projects without modification.

Microsoft does its share of turd-polishing, and Vista places too much reliance on active security (i.e. trying to stop burglars from stealing your stuff AFTER they have entered your unlocked house). But at least Microsoft shows signs of a culture change in terms of security. Apple doesn't.

[whmurray]

"Researchers?"

Hardly. These are "vulnerability pimps."

When one lies down with dogs, one gets up with fleas. I first noted this in the context of rogue hackers about twenty years ago. The intervening history has confirmed me in my belief. Perhaps Microsoft can afford the risk but I would not invite them into my house, nor enter one where they were known to congregate. Working in this space is dangerous enough without associating with those who flunked playground.

Rogue hackers are sociopaths. Expecting them to function constructively within society is to expect magic. They are loners and do not function well in organizations. How good is Microsoft at herding cats?

Hacking is addictive and recidivism is high. The hacker is trying to repeat the rush he got from his first hit. As with other addicitions, tolerance grows and it requires bigger and bigger hits to even approach that first thrill.

[3rdalbum]

That's #3 and #4!

I agree with whmurray - they are vulnerability pimps, or turd polishers.

See #3 "Penetrate and Patch" and #4 "Hacking is Cool" on Marcus Ranum's "The Six Dumbest Ideas in Computer Security" at the following address: http://www.ranum.com/security/computer_security/editorials/dumb/