lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1062610763.14396.111.camel@localhost>
From: st_lim at stlim.net (Lim Swee Tat)
Subject: Bill Gates blames the victim

On Thu, 2003-09-04 at 00:02, Robert Ahnemann wrote:
> > "Richard M. Smith" <rms@...puterbytesman.com> writes (quotes):
> >>    ;;    Q. "The buffer overrun flaw that made the Blaster worm 
> >>    ;;    possible was specifically targeted in your code reviews 
> >>    ;;    last year. Do you understand why the flaw that led to 
> >>    ;;    Blaster escaped your detection?"
> >>    ;; 
> >>    ;;    A. "Understand there have actually been fixes for all of 
> >>    ;;    these things before the attack took place. The challenge 
> >>    ;;    is that we've got to get the fixes to be automatically 
> >>    ;;    applied without our customers having to make a special
> effort."
> >> 
> >> "Don't trust our software. But do trust our patching/update 
> >> process..."
> >
> >Don't trust software but trust our software patches...
> >
> >We can continue the sentence by adding that the special effort is 
> >needed because new bugs are generated by these patches.
> 
> Let's relate this to real life (flame that line if you want).  Your car
> has a defect that causes the oil pan to leak.  Ford (I drive one, I can
> talk) issues a recall saying they know about the leak and are offering
> you a free fix, if you would just take the time to take the car to the
> shop.  You decide that you know better and that you would rather not
> invest the time.  You engine is lying on the ground three weeks later.
> Whose fault is it?  They told you it was a problem.  You neglected to
> address it.  I can tell you who will be paying for the engine.   Today's
> society is about dissolving accountability.  I'm all for changing this
> around.
I think you miss the point, and this is more the typical scenario than
anything else.  Microsoft issues patches that are highly unreliable,
even till today.

If we do a comparison to Ford, as per your scenario, Ford issues a
recall, but Ford also has a reputation for fixing something and breaking
something else, you'll let someone else take the fix, and wait in the
bylines to see if the fix broke something for him/her.

In fact, the unreliability of M$'s patches has become so widespread that
typical IT shops manage their software with at least a 3 month
testing/trial period even for software that is not demographically as
bad or even as unreliable as M$'s.

Again, the message is M$ should fix their software.  Trying to automate
the patch cycle without the permission of the user is and still does not
solve the initial problem.

Ciao
ST Lim
> 
> (forgot to send to the list poo)
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- [ Hobbes: What would you call the creation of the universe? ] [
Calvin: The Horrendous Space Kablooie! ] [ ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030904/22b5de53/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ