harishpillay (harishpillay) wrote,

MSFT's analysis of security

I was asked by @tonynewling for my take on "Vista One Year Vulnerability Report". I finally got time to look at it and subsequent reports by the same author and I have to applaud the report's author for cleverly clouding the report.

To his credit, he does say that he would have still done the report even if his employer's product came out looking not so rosy. Granted that that report is over a year and a half old now (September 9, 2009), it is really passe to consider. But I am sure that MSFT would have used that report to try to make their Vista product look less vulnerable (considering how @tonynewling wanted my inputs). The author's methodology is clever. He took the first twelve months of a product's GA to analyse the vulnerability and patch efficiencies. He was also clever to say he was only going to compare Vista with Red Hat's Red Hat Enterprise Linux WS 4. And this was to have been done even though Red Hat Enterprise Linux 5 had already been out for almost twelve months. He was happy to run a test of twelve months of RHEL4 GA (which was in March 2005) to Vista which I think came out in 2007 (I am not going to check and am sure someone will correct me).

If we are to look at any software product's development methodology (open source or closed source), every study (see David Wheeler's page), shows that by being open, you are assured that if there are vulnerabilities and defects, IT WILL BE FOUND AND FIXED. Earlier last month, an eight-year-old vulnerability in the Linux kernel was discovered and fixed. Try that for ANY MSFT product. I am not begrudging their business model. What I am begrudging is the smooth "lies" that they constantly put out - including the cleverly crafted report referenced above.

Nevermind the past. Let's move forward and look at what is looming on the horizon. Vista will be dead soon when MSFT releases their Windows 7 sometime this year. And how do they intend to bring it to the market? How about with blatant lies? I did pose the question earlier today and hoping that someone from MSFT will respond. It is HIGHLY unlikely anyone will (right @osrin and @tonynewling?). Now I read that the same lies are done with Mac as well.

Why can't MSFT do an honest job in selling their product? Why do they have to resort to outright lies and misrepresentations? The whole MSFT business is an intellectual vacuum and morally corrupt.

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded