[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1062610763.14396.111.camel@localhost>
From: st_lim at stlim.net (Lim Swee Tat)
Subject: Bill Gates blames the victim
On Thu, 2003-09-04 at 00:02, Robert Ahnemann wrote:
> > "Richard M. Smith" <rms@...puterbytesman.com> writes (quotes):
> >> ;; Q. "The buffer overrun flaw that made the Blaster worm
> >> ;; possible was specifically targeted in your code reviews
> >> ;; last year. Do you understand why the flaw that led to
> >> ;; Blaster escaped your detection?"
> >> ;;
> >> ;; A. "Understand there have actually been fixes for all of
> >> ;; these things before the attack took place. The challenge
> >> ;; is that we've got to get the fixes to be automatically
> >> ;; applied without our customers having to make a special
> effort."
> >>
> >> "Don't trust our software. But do trust our patching/update
> >> process..."
> >
> >Don't trust software but trust our software patches...
> >
> >We can continue the sentence by adding that the special effort is
> >needed because new bugs are generated by these patches.
>
> Let's relate this to real life (flame that line if you want). Your car
> has a defect that causes the oil pan to leak. Ford (I drive one, I can
> talk) issues a recall saying they know about the leak and are offering
> you a free fix, if you would just take the time to take the car to the
> shop. You decide that you know better and that you would rather not
> invest the time. You engine is lying on the ground three weeks later.
> Whose fault is it? They told you it was a problem. You neglected to
> address it. I can tell you who will be paying for the engine. Today's
> society is about dissolving accountability. I'm all for changing this
> around.
I think you miss the point, and this is more the typical scenario than
anything else. Microsoft issues patches that are highly unreliable,
even till today.
If we do a comparison to Ford, as per your scenario, Ford issues a
recall, but Ford also has a reputation for fixing something and breaking
something else, you'll let someone else take the fix, and wait in the
bylines to see if the fix broke something for him/her.
In fact, the unreliability of M$'s patches has become so widespread that
typical IT shops manage their software with at least a 3 month
testing/trial period even for software that is not demographically as
bad or even as unreliable as M$'s.
Again, the message is M$ should fix their software. Trying to automate
the patch cycle without the permission of the user is and still does not
solve the initial problem.
Ciao
ST Lim
>
> (forgot to send to the list poo)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- [ Hobbes: What would you call the creation of the universe? ] [
Calvin: The Horrendous Space Kablooie! ] [ ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030904/22b5de53/attachment.bin
Powered by blists - more mailing lists