lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0309031301430.8389-100000@kepler.acns.bethel.edu>
From: b-nordquist at bethel.edu (Brent J. Nordquist)
Subject: Bill Gates blames the victim

On Wed, 3 Sep 2003, Robert Ahnemann <rahnemann@...inity-mortgage.com> wrote:

> >>    ;;    Q. "The buffer overrun flaw that made the Blaster worm 
> >>    ;;    possible was specifically targeted in your code reviews 
> >>    ;;    last year. Do you understand why the flaw that led to 
> >>    ;;    Blaster escaped your detection?"
> >>    ;; 
> >>    ;;    A. "Understand there have actually been fixes for all of 
> >>    ;;    these things before the attack took place. The challenge 
> >>    ;;    is that we've got to get the fixes to be automatically 
> >>    ;;    applied without our customers having to make a special effort."
> 
> Let's relate this to real life (flame that line if you want).  Your car
> has a defect that causes the oil pan to leak.  Ford (I drive one, I can
> talk) issues a recall saying they know about the leak and are offering
> you a free fix, if you would just take the time to take the car to the
> shop.  You decide that you know better and that you would rather not
> invest the time.  You engine is lying on the ground three weeks later.
> Whose fault is it?

My issue isn't with the patch.  And that isn't what the interviewer asked
above, if you read carefully.  The interviewee was allowed to duck the
question by giving an answer to a different question.  I wish he'd been
called on it.

If you want your real life analogy to be complete, you need to add (a) a
Ford VP announcing that "all oil pan leaks have been found and fixed in
our latest Ford model, about to be released" (yes, a Microsoft VP actually
said that about buffer overflows in Windows XP) and (b) when questioned
about why that latest Ford model has a leak after the "leak-free"
declaration, the Ford rep. responds, "Well, we did announce a fix for the
leak, if you had just brought your Ford in for repair."

That *wasn't the question*.  The question is whether the evidence to date
should lead us to have confidence in your Trustworthy Motoring program,
and your ability to find leaks in what you're building, and your own
declarations of your products as being designed and built to be leak-free.

-- 
Brent J. Nordquist <b-nordquist@...hel.edu> N0BJN
Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html
* Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ