Mark Litchfield wrote:
I have heard the comment "It's a huge conflict of interest" for one
company to provide both an operating platform and a security platform"
made by John Thompson (CEO Symantec) many times from many different
people. See article below.
http://www2.csoonline.com/blog_view.html?CID=32554
In my personal opinion, regardless of the vendor, if they create an
OS, why would it be a conflict of interest for them to want to protect
their own OS from attack. One would assume that this is a responsible
approach by the vendor, but one could also argue that their OS should
be coded securely in the first place. If this were to happen then the
need for the Symantec's, McAfee's of the world would some what diminsh.
I've done both: sold a security enhancement for someone else's OS
(Immunix) and now I'm responsible for that same technology as part of
SUSE Linux (AppArmor).
I have no idea how Thompson gets his conflict of interest. It makes no
sense to me. I agree with Litchfield that it is an OS vendor's
responsibility to secure their OS as best they can, and using intrusion
prevention technologies is perfectly fair game.
However, Microsoft is a special case, because they have been legally
found to be a monopoly, and so special laws apply. So what Microsoft can
legally do may be different from what Red Hat, Novell, or Sun can do. I
am not a lawyer, so I won't speculate on what those differences might be.
Is Thompson talking about OS vendors in general having a conflict of
interest? Or just referring to Microsoft's monopoly status? I can't
tell, but it sounds like the former, and that sounds wrong.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering http://novell.com
AppArmor Training at CanSec West http://cansecwest.com/dojoapparmor.html
