On Mon, May 19, 2014 at 3:28 PM, Fred Baker (fred) <fred(_at_)cisco(_dot_)com>
wrote:
Several people have replied to the tone of your email. Let me reply with a
bit of somewhat-technical commentary.
In their defense, Microsoft has taken a pretty strong approach to software
quality over the past decade plus. Frankly, poor software quality has hurt
them. It is in their interest to fix it for several reasons, not just this
one. That is perhaps one of the best arguments for their current campaign to
move their users from Windows XP-and-older to their latest operating systems
- it reduces their support costs and improves the quality of their brand.
If we were going to start pointing fingers. Buffer overruns are an
invention of Dennis Richie and UNIX.
Microsoft Basic, the last code Bill Gates wrote himself had memory
management and garbage collection on strings.
Windows 95 was never designed to be an Internet operating system.
Microsoft changed course on that in mid 1995 just after the launch of
Windows 95. Windows XP was designed to be the last phase of the bridge
to a fully accounts based security model.
I remember that when Vista came out there was a huge amount of
complaining from system admins whose lazy shiftless persons would
actually have to do some work as a result of the new security model.
So instead of that they yammered on about Vista not being any good and
did their best to drag their feet. All the while knowing that the
Windows XP security model was compromised by the need for backwards
compatibility to Win 95.
Even today most of the NSA runs on Windows XP or earlier. Which is how
Snowden was able to extract all that data. And in the PKIX working
group we had DoD contractors trying to block any changes to the specs
that would force updates on the Netscape CA used by the DoD PKI that
has cost over a billion dollars to deploy.
There are certainly security problems on the net. But claiming that
they are exclusively the fault of one party hides the fact that there
is far more blame to go round.