This is what MS has been relying on. In 5 years we'll have it right, stick with us for now, we'll give you something AWSOME, that's secure, pretty, and works perfectly in a couple of years. Going on their track records up till now, linux is the choice for security IMO, but microsoft is counting on the mentality of people to ignore it because they have something shiny coming out any decade now.

They did the same thing for '95 when they were fighting against OS/2 as well. Years (literally IIRC) of hype and marketting telling people that they shouldn't buy OS/2 but should instead wait for windows 95, which will be out RSN(tm).

Well, unless you were obscured way back then as a "Team OS/2" zealot... Win95 in many ways WAS better than OS/2. (Although I must admit, OS/2 was more stable in areas... it was a disaster in others)

I think Microsoft has to rebuild our trust. We are always going to look at them as the evil empire until they change. I see those changes now because I have to work so close with them at times. When I did that like 10 years ago it was sheer hell. Now they seem to be more open, and willing to work with others.

Until they produce, we won't believe it. Thats the problem with their track record history. But in the same vein, I'd rather wait for something I KNOW is being engineered securely for the future than something that "might". Microsoft has a responsibility to its customers, shareholders and corporate well being to fix their blunders as it relates to security. Yet I can't say the same thing for any particular Linux distribution, or even some of the kernel developers. Outside of the kernel itself, which is code audited to the nth degree... not all aspects of software engineering on Linux have the same care put into it as Microsoft is now putting into every aspect of its development.

Something else spaf said in another post (which basically started this flamewar) was to ask where the open source requirements capture tools, specification langauges and provers, D-U/mutation tools, and regression tool suites were. I'll add to that list a thorough test plan for security and functionality just to be complete.

I ask myself that very thing. I know Microsoft has them. I have seen them. I have used some of these tools. Hell, I have blogged about some of these tools. Yet the same isn't openly integrated into the build scripts available for most core components in a Linux distribution.

The benefit of the Linux car is that you can open the hood, tinker with the engine, install some seat belts, add additional crash protection, and so on. You KNOW that it doesn't have X, Y, Z but the design is open to anyone.

With the Microsoft car, the hood is welded shut, you can't trust the brakes will hold, and the statistics on crash protections are skewed since the safety agencies benefit from giving favorable results to the major manufacturer (MS), and your local mechanic can't find wiring schematics or instructions to replace the gas tank.

Or, instead of just staring at the linux car with bit googly eyes, you could look at the OBSD vehicle.

That one comes with a 5 pointn harness for every passenger, run on fuel that won't explode, and doesn't care if the vehicle doesn't exceed 60km/h so long as all the safety gear is installed first.

Remember, the speed of this car isn't such an important factor if you can simply throw more cars at the problem to even out the work load.

In the end, you need to choose which features are most important to you, and then pick which vehicle you're going to sit down in and drive.

Leaves me wondering ... which Mailinglist?

The Secure Coding Mailing List. More information can be found at: http://www.securecoding.org/list/