bz wrote:


>>> My point was that ms products are not secure.
>>
>> Which is wrong as well. I'd consider Windows XP and Windows Server 2003
>> as well as all their server stuff as quite secure and reliable.
>
> True, provided they are a locked, guarded room with no connection to the
> outside world.


So that's why they got NSA C2 and CC EAL4+ evaluation?

> So, if the other two products were also 'documented to be insecure in
> untrusted environments' then there would be a 'clean sweep'.


For IIS, this would be true. For Windows 2000 the cause is a lack of
security patching support.

> And everyone could be happy because the insecurity is documented, right?


You can't claim insecurity when there weren't any security guarantees given
in first place.