lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040115200912.GA10688@netpublishing.com>
From: ggilliss at netpublishing.com (Gregory A. Gilliss)
Subject: Re: January 15 is Personal Firewall Day, help the cause

<RANT>
What should Cisco do? Cisco should stop letting all the people who write 
IOS release IOS code with all those vulnerabilities in it. It's not like 
they haven't been around since 1984 (they have) and like they can't do
regression testing (they do), so why are there 17 critical patches? 
Because they suck? No, because time-to-market still is more important than
shipping a robust product. Get the busdev ch0ads out of the driver's seat 
and get technical people back in charge and you'll see a marked decrease 
in vulnerabilities and patches. Let engineers engineer, dammit!

FWIW, the "anti-M$ drivel" is the response of a large number of highly
educated and experienced security professionals who have spent weeks,
months, and sometimes years of their time (for free in most cases) doing
research into security and reporting the findings to the pertinent vendors
who (in most cases) accept that information and then ... do nothing!

I think that it is safe to say that we all realize that security is a 
revenue drain for companies, but c'mon - we find the holes and report them,
we get nothing. We find the holes and exploit them, we're the bad guys.
Is the security community supposed to bend over and accept what large 
multinational corporations tell us? Sorry, but if you believe that then
your blinders are on too tight =;^)

Curious and intelligent people are going to pick apart the code and find 
the holes. Shutting down R&D would be the dumbest thing that we could do
(since hackers in Eastern Europe and Asia will just continue doing it 
and will leapfrog over us). So whether or not you are a fan of M$ and 
Cisco (and while they have their faults, I concede that both companies 
have made and continue to make major contributions to computers and 
networking) the fact remains that if someone tells you that your door is 
ajar and you neither respond not act, then your decision can be and often
will be to your detriment.

BTW (TOTALLY off-topic), teaching people to avoid dangerous situations is
not a bad philosophy, IMHO, in cases where the people are not equipped to 
deal with the potential dangers. Small women would do well to avoid bad 
neighborhoods at night, even if they are walking home from their karate
class, unless they are looking for trouble.

FWIW, Foundry and Juniper (hi BMat) continue to be much better technical
solutions than Cisco. People buy Cisco because "no one every got fired 
for buying {IBM,Microsoft,Cisco}" and because finding someone who knows 
the Cisco CLI (or who has a Cisco cert) is much easier than finding a
person who can properly set up and configure a Foundry "six-pack"
configuration.

Oh, and BellSouth has no clue. Never has had one, even way back before
Operation Sun Devil. No clue. Move where the clue is. There, is that better?
</RANT>

G

On or about 2004.01.15 13:55:18 +0000, Mary Landesman (mlande@...lsouth.net) said:

> That's pretty much like teaching your kids to never talk to strangers, or
> never visit the "bad" part of town. Fact is, most crimes are committed by
> people we know. Microsoft is often victimized, mainly because they are so
> ubiquitous. Cisco is running a poll right now to see which of the 17
> critical patches are most important to users, because they only have the
> manpower to fix 10 of them. Should we all stop using Cisco products?
> 
> This anti-MS drivel is so tiresome.

-- 
Gregory A. Gilliss, CISSP                              E-mail: greg@...liss.com
Computer Security                             WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ