[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <400EC448.9080009@science.org>
Date: Wed, 21 Jan 2004 08:26:16 -1000
From: Jason Coombs <jasonc@...ence.org>
To: Alun Jones <alun@...is.com>
Cc: bugtraq@...urityfocus.org
Subject: Re: What is the point here?
Aloha, Alun.
You do a very good job of describing the purpose of vulnerability
disclosure as a means of achieving better information security. You draw
the conclusion that the things you've described are *bad* -- many other
people draw the conclusion that these things are *good* and in
particular find it important to remind vendors that they cannot expect
the public to accept marketing propaganda in lieu of the truth.
The point really is to make vendors, users, admins, and others who
desire real security aware of the fact that there are resources
available to them where good people post the exploits that bad people
otherwise develop and keep to themselves. We cannot prevent bad people
from sharing exploit information.
Do you honestly prefer not to know that your software is flawed and that
those flaws are being exploited to cause your customers harm?
How many times will your customers be harmed between the time that a
vulnerability in your product is first discovered and exploited and the
time that you are notified or find it yourself and then 1) release a
fix, 2) communicate the need for the fix to your customers, and 3)
achieve 100% install base for the update?
Your own story of discovering BugTraq the hard way shows that prompt
disclosure to the public created instant security hardening, without
your involvement or consent, of systems running your vulnerable software.
Why do you expect to be the only person responsible for your customers'
security? That is just emotional nonsense-thought driven by a system of
values that you acquired from Microsoft without realizing it. I've been
in contact with you on an irregular basis for almost a decade, such as
when I wrote about your software in "Setting Up An Internet Site For
Dummies" -- and in many ways my professional path resembles your own. I
can tell you from personal experience, and from the experience of
watching you and people like you struggle to comprehend information
security after-the-fact, that your opinions on this subject have been
shaped by the way that Microsoft discovered information security
after-the-fact. You have been spoon-fed knowledge of infosec through
pain and suffering, just like every other Windows user/developer/admin.
What you still don't realize is that other vendors' customers, Linux
houses, etc. didn't go through such a long and difficult learning curve
to arrive at awareness of security. How much longer will it take for us
defected Windows professionals to achieve the level of understanding of
and concern for security that the rest of our industry has possessed for
decades? I don't know the answer to this question, but I do know that
it's amazing anyone paid us to do work at all during the 1990's because
on the whole we did them harm through our lack of awareness.
It sure is a good thing that legal product liability does not exist in
the software business.
Sincerely,
Jason Coombs
jasonc@...ence.org
Alun Jones wrote:
...
> I really don't know why _you_ signed up for Bugtraq. Me, I signed up
> because someone posted an exploit for my software here some time ago, and
> didn't bother to tell me about it first. I'd like to think that isn't
> Bugtraq's purpose.
...
Powered by blists - more mailing lists