[attrition] that recent MS babble about SDLC

[security curmudgeon]

http://blogs.msdn.com/shawnhernan/default.aspx
http://blogs.msdn.com/shawnhernan/archive/2010/02/13/microsoft-s-many-eyeballs-and-the-security-development-lifecycle.aspx

Fourteen mentions of Microsoft, no corporate logo, no immediately 
recognized affiliation with Microsoft. Read past the thousands of words to 
the 'about' or the bottom of the page and "(c) 2010 Microsoft 
Corporation", you may eventually get the idea this is a MS employee. (And 
no, http://blogs.msdn.com/ blog titles would suggest there is a 50% 
chance it was written by a Russian spammer as much as a MS employee)

The post goes on to say SDLC is good, open source 'many eyes' is bad. No 
immediate claim of affiliation, no indication that Shawn is the 'Senior 
Security Program Manager' at Microsoft 
(http://www.linkedin.com/in/shawnhernan).

This post comes out on Feb 13, days after the big MS patch Tuesday in 
which they patch a 10 and 17 year old vulnerability? No, that is not 
coincindence, that is not 'forgetting to visibly identify affiliation'. 
That is a cheap fucking shill and lame propaganda.

Any claims of timing can be safely ignored. If a "Senior Security Program 
Manager" isn't aware of the MS patches and relevance when posting a "our 
code review is bestest" type message, should be shot in the knee and then 
fired.

10 year old being patched:
http://seclists.org/bugtraq/1999/Jan/45

17 year old being patched:
http://news.bbc.co.uk/2/hi/technology/8499859.stm

Microsoft, if this post is confusing, try this link:

http://www.bing.com/search?q=transparent&go=&form=QBLH&qs=n


- security curmudgeon