Are software companies doing the right thing?

I was speaking with a couple of Microsoft folks about some security issues in their products. In particular, we were chatting about a vulnerability that was talked about during Black Hat conference 2007. This vulnerability would enable an attacker to exploit another weakness to completely compromise a system. The guy told me that we [Microsoft] do know this weakness. In fact we knew it before it was disclosed. He also told me that there are many more vulnerabilities, which are known by Microsoft, but users are not aware of them.
I am assuming that the guy, in fact a couple of Microsoft folks, told me the truth and they didn’t tell me that that just to say “We are the vendor. We knew it before everybody else did. We know what we are doing.”
There are many reasons that may have led Microsoft, or other software companies, to choose not to fix these vulnerabilities before shipping out their products. However, the question remains: Is this really the right thing to do?
Lets say you bought a parachute. If it doesn’t open, you most probably end up dead! Now lets say a guy, who is a researcher in parachutes, discloses a problem with the same parachute model that you bought. You give the manufacturer a call and ask them about the problem. What would you expect to hear?
I personally expect to hear something like: “Oh, yes! We just realized the problem and we are trying to reach to our customers and ask them to bring their products back for an exchange or a refund.”
Hearing something like: “Oh yes. We knew this issue existed and we were working to fix it as soon as possible but this guy disclosed the problem before we actually fix it.” Will just freak me out. This would mean they hid some information from me that may have caused me to buy another brand that didn’t have that problem.
Here is what I think must be enforced: Either the software companies should stop announcing that they were aware of a particular security issue after it is disclosed by a researcher or they should be held responsible for damages to their clients should that specific vulnerability get exploited before its patch is released.

Security 2

I don't want to be very technical here. So, I won't go into details.
The procedure of building a secure infrastructure consists of two different main phases:

1. Designing a secure infrastructure
2. Implementing the plan securely

In a safe product, both of the above mentioned aspects should be taken care of. The example would be constructing a dam to prevent water flooding! Well, if the design is not good enough, the dam is not going to be a reliable object regardless of how well the construction workers worked. This is also true if the plan is good and safe but the workers did a crappy job and the dam is not well built.

Security

You should probably have heard the terms hackers, crackers, software security, software patches, etc in daily news. How can you trust a piece of software or a new technology?
Security is a very general concept which is difficult to explain when it comes to formality. Let me clarify the concept by throwing an example:

Lets say there is a new phone service, Vonage for instance, that can provide you with a cheap and yet powerful phone service. The phone services have been known for a long time. They have been rather safe and almost nobody would question safety when he/she wanted to buy a phone line. Unfortunately, this is not the case when it comes to most of the new technologies. New technologies are rather cheap because they use "shared" resources. Vonage is cheap because it uses Internet, a multi purpose resource, to send/receive voice. The nature of this new technology, which is just one out of many possible examples, is completely different from what we know as a phone service. Therefore, new concepts such as security come into play. In other words, when you go to buy a high-tech, cheap and powerful phone line you should definitely be questioning the safety of that product.

To be continued...
Stay tuned!

I decided to create this weblog to talk about technology in general and networks in particular. As for the first post I am going to talk about the open source bushiness model.

Most of us are familiar, at least at the user level, with Microsoft Windows. The Microsoft business model is one of the oldest models which has been developed over time. Long story short, it's like paying for what you are buying! You pay for the Microsoft Internet Explorer working code and you get the support for free. In other words, the support's price is included within the original price.

What is the open source model? Well, it's the other way around! The code is free but you've got to pay for the support. This model seems to be promising because nowadays, it is possible for almost everybody to get his/her hands on a pirated version of any software. So, why should he/she pay for the code when the pirated versions are available and the support is free?

Having said the advantages of open source, one could ask : Then why the hell doesn't Microsoft switch to open source? Well, one reason could be that it has its own enterprise customers who trust Microsoft and pay for its products. In other words, since Microsoft has those well established type of customers, it can survive, or rule if you will.

In my opinion, if a small company wants to start a software project which aims for the home users, they'd better start with open source and sell their support instead of their code!