| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: tobias at weisserth.de (Tobias Weisserth) Subject: Who's to blame for malicious code? Hi Paul, Am Di, den 20.01.2004 schrieb Schmehl, Paul L um 19:53: > > This is too easy. It's the same with guns. People always > > blame the people who pull the trigger but the fact that guns > > are soooooo damn easy to get, even for minors doesn't startle > > a soul... > > > This is a ludicrous argument. Do you seriously believe that if all guns > suddenly disappeared that murders would cease???? But this is > completely off topic, so I'll leave it at that. Well, let's end this with just one last statement: I'm rather glad that most European nations don't handle gun control the way the US does. The mortality rates concerning gun shots in the EU are FAR less than in the States. > Returning more to the topic at hand, I agree with Mary that the writers > of malicious code are to blame for much of the present problems, but I > also think users must take some responsibility as well. So should the > writers of software. You want to spread it even among all stakeholders ;-) How nice of you ;-) But well, no. Customer is king. This is most important. Always. Users rule. Of course the people writing malicious code are criminals. But there will always be criminals. There is no measure, ransom whatsoever that could change this. Take the ransom MS offered on clues leading to the arrest of virus writers. Not a single dime has been spent because this is a total useless measure. Criminals are a constant. You can't eradicate them. In my native language there's a saying, it goes something like this: "Where there is an opportunity, there is a thief." or "Opportunities make thieves". The opportunities MS bundles with its software create massive amounts of thieves. You don't have to be a studied computer engineer to write a Bagle, Blaster or Nimda. In fact, it's even so easy that people writing this stuff are referred to as "script kiddies". If you find a flaw in a Windows service and you want to exploit it then you can always count on the fact that millions of uneducated end users are running these services to spread your plague. Well, I hear you saying it's the end users fault. They need to be educated. This is plain wrong. It's the vendors fault. He should disable everything that is not essential and offer "opt-out" of this setting. > It's been proven conclusively in the US, IMNSHO, > that you cannot legislate good behavior, no matter how much the > politicians try, mostly to society's detriment. We totally agree on that one. But doesn't this demand to ship software in "secure by default" state rather than "I have my RPC port wide open and I don't know noffin'" state? > All the warnings in the world won't stop some idiots from flying to Nigeria to pick up their > commissions, and all the security in software that you can possibly > design in won't stop some people from doing stupid things that > compromise their machine, *regardless* of how well designed it is. You > need only look at the number of compromised Unix machines worldwide to > realize that the OS isn't the problem. If you reread my post you'll note I never said, that it's the quality of the MS software that leads to disaster. I'm talking about "opting in" for security. THIS is the MS sin. And frankly, there's no excuse for it. > In a perfect world, no one would write malicious code, and the OS you > use wouldn't matter at all. But we don't live in a perfect world, do > we? Exactly. Because we don't live in a perfect world I do expect that my vendor ships me software without default settings that are risky. When I need the additional feature, I'd rather enable it myself. If I don't know how, then the better. I have to learn how to do it and I will bring this risk to myself rather than share it unnecessarily with millions of other users who don't need the additional feature. > Yet, no matter what OS you use, you can find *someone* whose > machine is compromised. Yes. But there are very few OSs that keep being raped the way the consumer versions of Windows are because they don't run unnecessary services by default. THERE IS a big difference between Windows and OpenBSD for example. This is not technical, this is philosophical. Secure by default versus "opt in security if you need it". The two examples I gave in my initial answer to you actually contain that. I wonder why you didn't comment on them. What's your opinion on an enabled RPC port by default in consumer OSs? Don't you think the simple measure of shipping Windows XP Home without such a service enabled would have stopped the spread of Blaster cold? I do. cheers, Tobias W.
Powered by blists - more mailing lists