| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: draht at suse.de (Roman Drahtmueller) Subject: Microsoft laxed security is threat to internet [...] > How much of a percentage of discussion and disclosure on this list is > actually counter acting script kiddie hood and how much is actually > aiding them to carry out further malicious activities across the > internet on a global scale? [...] nearly 100%, because if it is not this forum, it will be another. Are you naive enough to believe that there is a benefit in NOT disclosing vulnerabilities? Or that vulnerabilities cannot be investigated if the source code of the software is not available? If there is not a clear "Yes, it's better if vulnerabilities and source code are not publically available!", then you argue for transparency and openness. I'd rather trust a greyhat who openly discusses his findings than a vendor who doesn't, because my faith in him is rationally traceable. > Yes, you can use this list to make vendors aware of a security > situation. Although how many users are updating straight away and how > many users are unaware of a flaw. > > I think security lists are geared up more at the vendor patching X, > than making the consumer aware of a security flaw and asking them to > update. My mom (to use an example) doesn't know what you're talking about. But she knows about a vendor's responsibility - full-disclosure@ has contributed to security matters being hyped in the media, forcing vendors to take action. Before bugtraq, vendors didn't even have enough reason to care for their bugs. So don't complain about security mailing lists such as full-disclosure@ not meeting YOUR requirement of making the consumer aware of flaws - the absence of the list and its contributions wouldn't leave the customer any choice in the first place. [...] [F**k not quoted] > They (Microsoft) need to start using "Auto Updating" home and small > business network's, and it doesn't matter about the critics who say > it's a breach of privacy and you have no right modifying a users > computer. At the end of the day, we are talking about the spawning of > very large bot net's owned by script kiddies, who can easily take down > internet back bones and take out key infrastructure, which the very > existence of the internet depends on. (*) > FD or BUGTRAQ can't save us now. Only Microsoft can. Implement Auto > updating software for security patches without delay. > > I don't have much faith in Service Pack 2 (The overhaul of Mircosoft code). > > All of these Microsoft exploits will be the death of the internet one > day, when script kiddies decide to execute the mother of all denial of > service attacks against the internet. Trust me, bot net's big enough > are paused and waiting for such a day. The cause of death of the internet will not be a technical one (like a global communication blackout), but a sociological one: countless useless attempts to solve human problems with technical means, the loss of trust in software vendors and other corporations due to the loss of privacy and respect. (*): Looks like you have chosen already. Roman. -- - - | Roman Drahtm?ller <draht@...e.de> // "You don't need eyes to see, | SUSE Linux AG - Security Phone: // you need vision!" | N?rnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
Powered by blists - more mailing lists