boufa06 said:
ncage, in your opinion as a security specialist, besides phishing and social engineering, what part of the blame should go back to Microsoft and its various software ie. Windows, Internet Explorer, Hotmail, Word, Powerpoint, etc?
You asked a really difficult question here. So this is going to be a long winded answer. Do i think that microsoft has been lax in the past when it comes to security...yes. Generally microsoft to push revenue has tried to push lots of new features with every release. This only makes good business sense for a company trying to generate value for their stockholders. If they release a new version of their Operation System with no new features but only security related things...what will people say? Why am i apaying for bug fixes? So if they don't offer ne features they are paying programmers to update/fix their operating system and not having any new vehicle for revenue generation.
These New features make their software extremely easy to use but at the same time these features make it possible for hackers to fine new portals to attack machines. An example of a feature that makes usability is great but opens up a portal for attackers is allowing HTML (web pages) to be viewed as email. While it allowes interactive emails with animation and things like that it also allows easy attacks on your computer. Then you have the people in the community who are screaming right before microsoft is going to release a piece of software because they have software delays. Would you rather them release it and have all kinds of problems. My theory is its done when its done.
Here is another thing that microsoft has contend with. They have to add this new feature which will help productivity of a lot of its corporate customers and a lot of their customers are requesting it. They find later down the line that this was a bad idea. Well some of their big customers have millions of line of code based upon this technology and spent several million or more on. So do they disable this technology and risk some pretty major law suits probably or keep it open. Well in most cases they keep it open. Yes they can still disable it by default but i guarantee you a lot of users who don't know what they are doing will enable it. This has hit is where we work before
. Now who in the heck thought of allowing a web page to capture user clipboard data must have been half baked when he thought of this idea but microsoft is a big company and stuff can slip by. Im assuming they don't take this out because it would break a lot of systems.
That said microsoft has been a LOT better in the security arena lately. I would say at this point its even tops a lot of companies that you would think would be security oriented. I will give a good example. Oracle a VERY expensive database (multimilion dollar invenstment for companies sometimes) that has been hit lately with several complaints of all the security holes. Microsoft SQL Server i would consider to be pretty good. Microsofts new programming system (.Net) has had some bugs but has been pretty dang stable.
Ok then you hear those stories that the mac is more secure than windows...or linux is more secure than windows which i think are unfounded and here is why:
1) There are way way less linux/mac machines out there than windows PCs. Because hackers know that most users use windows thats where they focus their efforts
2) At least when it comes to Linux...people who generally know use linux know what they are doing. If they didn't they would be using windows. They generally do not fall for some of the simple things that someone without a lot of computer background would fall for.
3) There is no way to protect someone who won't think before they click. I know people who will open an attachment no matter what. That is why a majority of these security concerns exist. Hey if your going to run in front of a car how can i protect you? It all comes down to common sense in a lot of cases.
Ok the last issue i can think of is complexity. Windows and all the software yo use is EXTREMLY complex. It takes years with programming teams of hundreds of programmers to complete these systems. It is IMPOSSIbLE to code something this large and not have bugs. Its just the nature of the beast.
So do i think microsoft should be held accountable legally? No i do not. Now my opinion would change if there was a gaping hole and they just ignored it and left a lot of vulernable PCs open to attack.