| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: tobias at weisserth.de (Tobias Weisserth) Subject: Who's to blame for malicious code? Dear Paul, Am Mi, den 21.01.2004 schrieb Schmehl, Paul L um 19:23: > ...Tobias wants to lay *all* the blame at > Microsoft's feet, and I disagree. _I_ must have made some mistakes expressing myself correctly because you seem not to understand me :-) (See? I don't blame you. I blame myself for being able to communicate this to you.) I'm laying blame on MS for the fact that they don't change the way their systems are delivered. I'm not blaming them 100% for the fact that users don't patch. I blaming them for not taking all available measures that don't involve action on behalf of users, namely shutting down unnecessary services on consumer end users machines. I am blaming them for the fact that every single user "mistake" like not patching on time leads to _certain_ disaster because consumer end users use admin accounts on XP Home by default. This isn't something users can change. Users can't alter the way MS ships XP Home. MS enables every stupid user to be Lord of Good and Evil (or admin in other words). > Would you place all the blame on the > openssl developers if someone gets hacked through an openssl vuln six > months after the patch is released? (There are some here who do.) I haven't seen someone stating this. Really. Patching is one thing but delivering software in a state in which the absence of a patch to unnecessary services is disastrous this isn't the users fault. If a XP home users executes malicious content from the web or an email attachment this immediately affects the whole system because they are admin users by default. Of course they would have been invulnerable with a patch. But shouldn't a good vendor foresee such user misbehaviour and act accordingly? Shouldn't a vendor always assume the worst in users? > Would you blame Linus for vulns in the Linux kernel that get hacked 3 > months after a patch is available? No. But I would blame SuSE or any other Linux distributor if they delivered a consumer end user Linux distribution that maybe features such a vulnerable kernel module if it isn't necessarily used or aimed at the consumer end user. Of course people could have patched against the RPC vulnerability. But it why should they if they don't use this service?! That whole Blaster attack could have been avoided if MS shipped XP Home without the RPC service enabled by default. Always remember that in the end it's always the vendor that is liable for a product not the customer. > There's a real double standard going on here. If an open source program > has a problem, everyone blames the users when they don't patch and > praises open source for being...well...open. You're shifting topics. This debate has never been about Open Source. BTW, I don't see a difference in the way open source and propriety products should be developed. They both should aim at customers needs and typical behaviours. And when I look at better open source projects I note that they actually do better than their commercial competition. > Yet in the *exact* same scenario, they want to assign *all* the blame to Microsoft, and that > does a disservice to the Internet as a whole and compounds the problem, > because it communicates to users that, if you use Microsoft, you are not > to blame for the malicious code that your machine was compromised by. You are dramatising issues here. No need for that. Nobody raised the word on open source. You did. You shifted topics into this direction. Why do all people defending MS think that anybody issuing criticism towards MS is an open source advocate?! I'm not preaching as an open source evangelist. I am preaching as a consumer advocate here. > Until we communicate a *consistent* message to users that *they* also > have some responsibility in the battle against malicious code, this > problem will never go away. We can do this AFTER we have ensured we deliver our products to them in a "as safe as possible by default state". Until then we have to listen to them, observe their behaviour and adapt our software. Not before we have depleted all these possibilities are we allowed to alter their behaviour. They are not the problem. > Perhaps that's what the anti-MS crowd really wants. That way they can > continue to carp and complain about MS without *really* solving the > problem. You're dramatising again. I'd file the same complaints against any other vendor of end user products who doesn't follow basic principles on securing products against user misbehaviour and unnecessary risks. In fact I raise my finger against Lindows, maker of LindowsOS because they seem to handle account policy the same way MS does with XP Home (correct me if I'm wrong please). As far as I know the common end user is working with root privileges under LindowsOS. This is the same stupid mistake and failed design MS did with XP Home. > Hopefully that clarifies my position. Your position seems to be that users are automatically responsible if they failed to patch. I disagree because simple measures such as turning off unnecessary services by default for end users or not letting end users work as administrators by default would have averted crisis without the immediate need for end user reaction. Basically, if a vendor doesn't account for stupid user behaviour then the vendor is accountable for spreading exploits. Vendors can't force customers to update and patch but _they_ can turn off unnecessary risks. cheers, Tobias
Powered by blists - more mailing lists