OSNews

I see it more as someone who has gone through hell with security trying to give advice to someone else who hasnt felt the burn yet, telling them to take security a little more seriously (I'm not talking about from an engineering aspect here).

Would you rather trust someone who has gone through all the pain and agony and has a lot of experience with it, or someone who is still relatively new to having to worry about security, and hasn't been tested yet?

It's tough.

It's students talking to students.

Neither company has yet to prove themselves capable of the security game. Microsoft may have it right now, but they haven't instilled confidence in a massive sector of the IT field yet.

And there newest security ideas are untested in the wild. So really, he may be giving great advice, but he's not giving it from a position of great respect ... yet.

Well, if you take a look at their newest products, such as Server 2003 and IIS6, they are much better in regards to security. But you're mostly right, it's a "students to students" thing.

I just don't agree with the people saying "omg its microsoft, they dont know anything about security lol!"

I't just marketing play, to attemting to destroy Apples appeal wrt security in the general public; just before Vista ships.

If they wanted to talk seriously, they wouldn't have made it in public.

I general, I think that corporate sourced opinion pieces should be regarded as junk by a principle.

This is too laughable for words.

What a childish (fanboyish?) reaction! Have you read the articles? The headline is misleading of course, it is not microsoft, it is a guy who apparently has some experience with security - and his advices are sound! And believe it or not - time will prove him right. Apple needs a security officer - every OS with some market penetration needs a security officer. And saying that we don't need one, because we write software with security in mind is a flawed way of thinking, especially in the light of recent fsck.ups with security patches. Yeah, Microsoft did that too - and that is why Toulouse speaks from experience.

Edited 2006-03-24 13:00

Care to point us to these "recent fsck.ups with security patches"? Have YOU read the article? Do you run OSX? Do you update it regularly?

The guy clearly doesn't have a point. Apple's updates are more than well informing.

I'm running a Windows 2000 at work and OSX at home, and I've NEVER seen a single update by Microsoft that provides detailed information on what it is about. In contrast to that every single update by Apple comes with a lot of information about the individual issues being solved.

He may be right that Apple needs a security chief, but that's not up to him, he's not even working there, why should Apple follow MS's way of organizing things? Does he even has a clue how Apple, as company, is organized, and what processes this organization involves? If not - then he's no better at judging them than me and you and everyone we know.

Edited 2006-03-24 16:13

Care to point us to these "recent fsck.ups with security patches"?

It's in the article - which answers your question about reading them. Quote: "Toulouse was responding to Apple's recent update to a security fix that was designed to solve problems in installing an earlier patch. Apple's Security Update 2006-002 had caused problems with networking and with the Safari browser icon."

When you update WinXP you can click on a link to detailed description of each security vulnerability and patch - and their are surprisingly honest and detailed.

I run FreeBSD and PC-BSD, and maintain a small comp lab with WinXP desktops.

I take security seriously, and I didn't like the tone of the post I answered to. I didn't like its score specifically, because it is in no way insightful or interesting. In one broad sweep it discards the entire blog post, even though the blog itself is no inflammatory, and the advice it gives is good. I understand the sentiment behind it (I don't like Microsoft either), but it was a knee jerk reaction, something that could have been written even without reading the articles. I simply don't consider it a "balanced" opinion - hence my harsh words in reply.

Fair enough. I believe the post was provoked by the somewhat misleading title of the article.

Maybe MS needs someone from, for instance, the OpenBSD project to explain that to them?

It's not insecure by design. It's insecure because of defaults, bugs and legacy support (ok that can be argued to be design I suppose, but I don't agree).

It's not insecure by design. It's insecure because of defaults, bugs and legacy support (ok that can be argued to be design I suppose, but I don't agree).

If defaults, bugs and legacy support are not by design, then what are they? An accident?

Don't the Microsoft designers know what defaults they are setting? or whether they will or will not have legacy support?

These things clearly are by design.

When someone says design, I think architecture. The architecture isn't insecure.

Um yes they need advice, but not this guys advice.
They should listen to guys from FreeBSD, OpenBSD heck even Linux, because these platforms proved to be relativly secure over time when used as majority in the server area.

Windows and security simply don't go together, not the software, not the company.