lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 21 Jan 2004 08:26:16 -1000
From: Jason Coombs <jasonc@...ence.org>
To: Alun Jones <alun@...is.com>
Cc: bugtraq@...urityfocus.org
Subject: Re: What is the point here?


Aloha, Alun.

You do a very good job of describing the purpose of vulnerability 
disclosure as a means of achieving better information security. You draw 
the conclusion that the things you've described are *bad* -- many other 
people draw the conclusion that these things are *good* and in 
particular find it important to remind vendors that they cannot expect 
the public to accept marketing propaganda in lieu of the truth.

The point really is to make vendors, users, admins, and others who 
desire real security aware of the fact that there are resources 
available to them where good people post the exploits that bad people 
otherwise develop and keep to themselves. We cannot prevent bad people 
from sharing exploit information.

Do you honestly prefer not to know that your software is flawed and that 
those flaws are being exploited to cause your customers harm?

How many times will your customers be harmed between the time that a 
vulnerability in your product is first discovered and exploited and the 
time that you are notified or find it yourself and then 1) release a 
fix, 2) communicate the need for the fix to your customers, and 3) 
achieve 100% install base for the update?

Your own story of discovering BugTraq the hard way shows that prompt 
disclosure to the public created instant security hardening, without 
your involvement or consent, of systems running your vulnerable software.

Why do you expect to be the only person responsible for your customers' 
security? That is just emotional nonsense-thought driven by a system of 
values that you acquired from Microsoft without realizing it. I've been 
in contact with you on an irregular basis for almost a decade, such as 
when I wrote about your software in "Setting Up An Internet Site For 
Dummies" -- and in many ways my professional path resembles your own. I 
can tell you from personal experience, and from the experience of 
watching you and people like you struggle to comprehend information 
security after-the-fact, that your opinions on this subject have been 
shaped by the way that Microsoft discovered information security 
after-the-fact. You have been spoon-fed knowledge of infosec through 
pain and suffering, just like every other Windows user/developer/admin.

What you still don't realize is that other vendors' customers, Linux 
houses, etc. didn't go through such a long and difficult learning curve 
to arrive at awareness of security. How much longer will it take for us 
defected Windows professionals to achieve the level of understanding of 
and concern for security that the rest of our industry has possessed for 
decades? I don't know the answer to this question, but I do know that 
it's amazing anyone paid us to do work at all during the 1990's because 
on the whole we did them harm through our lack of awareness.

It sure is a good thing that legal product liability does not exist in 
the software business.

Sincerely,

Jason Coombs
jasonc@...ence.org


Alun Jones wrote:
...
> I really don't know why _you_ signed up for Bugtraq.  Me, I signed up
> because someone posted an exploit for my software here some time ago, and
> didn't bother to tell me about it first.  I'd like to think that isn't
> Bugtraq's purpose.
...

Powered by blists - more mailing lists