| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: tobias at weisserth.de (Tobias Weisserth) Subject: New therad: sasser, costs, support etc alltogether Hi Radule, On Fri, 2004-05-14 at 17:27, Radule Soskic wrote: > I can't post this to all the threads that I would like to, so I'm > opening a new one. > > Follow this: > > 1. MS is wrongdoing by releasing (and charging for use of) software that > has bugs in it. Users of such software have losses in time/money by > trying to keep up with applying pathches, or just by trying to keep the > uptime high. Guess what. Everybody releases software that has bugs in it. That's totally not the point. What MS does wrong is the non-disclosure of security, the sometimes bad quality of the patches and their late and untimely release (though the later isn't true with Sasser). Still, these shortcomings (a more suitable word than wrongdoing) are no crime. > 2. Admins are wrongdoing by not applying patches to the systems they > maintain. There are losses tied to such misspractice, too. This is again a shortcoming but no crime. If I don't patch and nobody exploits me, then where is the problem? > 3. Worm authors are wrongdoing by writing software that propagate > through the networks by exploiting all of the above. Again, the losses > occur in time/money spent to remove the worms from the systems affected. There's the financial loss on one side and the fact that they are in fact criminals. All I'm asking for is that these crimes be punished by the letters of the law. > It is obvious that almost every legal system in the world treats #3 as > crime, while #2 and #1 are broadly tolerated. Exactly my point. > Noone here is against the > book of law, but it just seems to be in contrast to the natural and > intuitive feeling of justice that majority of people might have > regarding the issues like these. See - only one of the three wrongdoers > is being punished. That's because the other two simply are shortcomings in contrast to actually wrongdoing or crime with intent. > Is it right? Or - is it wrong? Well, should a 16 year old girl, wandering late about New York Central Parc be punished when somebody rapes her? Obviously she did something wrong, wandering late at night and without protection in a dangerous place? Should this wrongdoing of her be used in the legal defence of the guy raping her? > BTW, I have a funny feeling that damages/losses caused by #3 might very > often be far less than the ones caused by #2 and #1. If I don't patch a bug and nobody exploits it I don't suffer damages. Now, is not patching immediately leading to damages? Only if someone actually exploits this bug. *Their* criminal behaviour is needed to make my shortcoming a part of the problem. > Am I alone? I guess many people are scrambling to the rescue of this kiddo because his victims were using "M$" products. Would the victims have been users of OpenBSD products or some Linux distribution or VMS or some other superior product, everybody would have gone for the kids head. Let's be colourblind for a moment, OK? Let's pretend you don't know what bug has been exploited on what product. Let's still suppose there has been a patch available for two weeks and the problem was well announced in the media. Now let's look at what the Sasser author has done, the damages he has caused. I guess the reaction would have looked a bit different. I've never heard of a fund being raised for the guys that broke into the Debian server (well, they haven't been caught yet...). This whole debate about MS guilt is hypocritical. Who am I talking to anyway?! I'm not even using a single MS product... Tobias
Powered by blists - more mailing lists