| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: ggilliss at netpublishing.com (Gregory A. Gilliss)
Subject: Re: January 15 is Personal Firewall Day, help the cause
<RANT>
What should Cisco do? Cisco should stop letting all the people who write
IOS release IOS code with all those vulnerabilities in it. It's not like
they haven't been around since 1984 (they have) and like they can't do
regression testing (they do), so why are there 17 critical patches?
Because they suck? No, because time-to-market still is more important than
shipping a robust product. Get the busdev ch0ads out of the driver's seat
and get technical people back in charge and you'll see a marked decrease
in vulnerabilities and patches. Let engineers engineer, dammit!
FWIW, the "anti-M$ drivel" is the response of a large number of highly
educated and experienced security professionals who have spent weeks,
months, and sometimes years of their time (for free in most cases) doing
research into security and reporting the findings to the pertinent vendors
who (in most cases) accept that information and then ... do nothing!
I think that it is safe to say that we all realize that security is a
revenue drain for companies, but c'mon - we find the holes and report them,
we get nothing. We find the holes and exploit them, we're the bad guys.
Is the security community supposed to bend over and accept what large
multinational corporations tell us? Sorry, but if you believe that then
your blinders are on too tight =;^)
Curious and intelligent people are going to pick apart the code and find
the holes. Shutting down R&D would be the dumbest thing that we could do
(since hackers in Eastern Europe and Asia will just continue doing it
and will leapfrog over us). So whether or not you are a fan of M$ and
Cisco (and while they have their faults, I concede that both companies
have made and continue to make major contributions to computers and
networking) the fact remains that if someone tells you that your door is
ajar and you neither respond not act, then your decision can be and often
will be to your detriment.
BTW (TOTALLY off-topic), teaching people to avoid dangerous situations is
not a bad philosophy, IMHO, in cases where the people are not equipped to
deal with the potential dangers. Small women would do well to avoid bad
neighborhoods at night, even if they are walking home from their karate
class, unless they are looking for trouble.
FWIW, Foundry and Juniper (hi BMat) continue to be much better technical
solutions than Cisco. People buy Cisco because "no one every got fired
for buying {IBM,Microsoft,Cisco}" and because finding someone who knows
the Cisco CLI (or who has a Cisco cert) is much easier than finding a
person who can properly set up and configure a Foundry "six-pack"
configuration.
Oh, and BellSouth has no clue. Never has had one, even way back before
Operation Sun Devil. No clue. Move where the clue is. There, is that better?
</RANT>
G
On or about 2004.01.15 13:55:18 +0000, Mary Landesman (mlande@...lsouth.net) said:
> That's pretty much like teaching your kids to never talk to strangers, or
> never visit the "bad" part of town. Fact is, most crimes are committed by
> people we know. Microsoft is often victimized, mainly because they are so
> ubiquitous. Cisco is running a poll right now to see which of the 17
> critical patches are most important to users, because they only have the
> manpower to fix 10 of them. Should we all stop using Cisco products?
>
> This anti-MS drivel is so tiresome.
--
Gregory A. Gilliss, CISSP E-mail: greg@...liss.com
Computer Security WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3
Powered by blists - more mailing lists