[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1074716350.2253.178.camel@coruscant.weisserth.net>
From: tobias at weisserth.de (Tobias Weisserth)
Subject: Who's to blame for malicious code?
Dear Paul,
Am Mi, den 21.01.2004 schrieb Schmehl, Paul L um 19:23:
> ...Tobias wants to lay *all* the blame at
> Microsoft's feet, and I disagree.
_I_ must have made some mistakes expressing myself correctly because you
seem not to understand me :-) (See? I don't blame you. I blame myself
for being able to communicate this to you.)
I'm laying blame on MS for the fact that they don't change the way their
systems are delivered. I'm not blaming them 100% for the fact that users
don't patch. I blaming them for not taking all available measures that
don't involve action on behalf of users, namely shutting down
unnecessary services on consumer end users machines. I am blaming them
for the fact that every single user "mistake" like not patching on time
leads to _certain_ disaster because consumer end users use admin
accounts on XP Home by default. This isn't something users can change.
Users can't alter the way MS ships XP Home. MS enables every stupid user
to be Lord of Good and Evil (or admin in other words).
> Would you place all the blame on the
> openssl developers if someone gets hacked through an openssl vuln six
> months after the patch is released? (There are some here who do.)
I haven't seen someone stating this. Really. Patching is one thing but
delivering software in a state in which the absence of a patch to
unnecessary services is disastrous this isn't the users fault.
If a XP home users executes malicious content from the web or an email
attachment this immediately affects the whole system because they are
admin users by default. Of course they would have been invulnerable with
a patch. But shouldn't a good vendor foresee such user misbehaviour and
act accordingly? Shouldn't a vendor always assume the worst in users?
> Would you blame Linus for vulns in the Linux kernel that get hacked 3
> months after a patch is available?
No. But I would blame SuSE or any other Linux distributor if they
delivered a consumer end user Linux distribution that maybe features
such a vulnerable kernel module if it isn't necessarily used or aimed at
the consumer end user.
Of course people could have patched against the RPC vulnerability. But
it why should they if they don't use this service?! That whole Blaster
attack could have been avoided if MS shipped XP Home without the RPC
service enabled by default. Always remember that in the end it's always
the vendor that is liable for a product not the customer.
> There's a real double standard going on here. If an open source program
> has a problem, everyone blames the users when they don't patch and
> praises open source for being...well...open.
You're shifting topics. This debate has never been about Open Source.
BTW, I don't see a difference in the way open source and propriety
products should be developed. They both should aim at customers needs
and typical behaviours. And when I look at better open source projects I
note that they actually do better than their commercial competition.
> Yet in the *exact* same scenario, they want to assign *all* the blame to Microsoft, and that
> does a disservice to the Internet as a whole and compounds the problem,
> because it communicates to users that, if you use Microsoft, you are not
> to blame for the malicious code that your machine was compromised by.
You are dramatising issues here. No need for that. Nobody raised the
word on open source. You did. You shifted topics into this direction.
Why do all people defending MS think that anybody issuing criticism
towards MS is an open source advocate?! I'm not preaching as an open
source evangelist. I am preaching as a consumer advocate here.
> Until we communicate a *consistent* message to users that *they* also
> have some responsibility in the battle against malicious code, this
> problem will never go away.
We can do this AFTER we have ensured we deliver our products to them in
a "as safe as possible by default state". Until then we have to listen
to them, observe their behaviour and adapt our software. Not before we
have depleted all these possibilities are we allowed to alter their
behaviour. They are not the problem.
> Perhaps that's what the anti-MS crowd really wants. That way they can
> continue to carp and complain about MS without *really* solving the
> problem.
You're dramatising again. I'd file the same complaints against any other
vendor of end user products who doesn't follow basic principles on
securing products against user misbehaviour and unnecessary risks.
In fact I raise my finger against Lindows, maker of LindowsOS because
they seem to handle account policy the same way MS does with XP Home
(correct me if I'm wrong please). As far as I know the common end user
is working with root privileges under LindowsOS. This is the same stupid
mistake and failed design MS did with XP Home.
> Hopefully that clarifies my position.
Your position seems to be that users are automatically responsible if
they failed to patch. I disagree because simple measures such as turning
off unnecessary services by default for end users or not letting end
users work as administrators by default would have averted crisis
without the immediate need for end user reaction.
Basically, if a vendor doesn't account for stupid user behaviour then
the vendor is accountable for spreading exploits. Vendors can't force
customers to update and patch but _they_ can turn off unnecessary risks.
cheers,
Tobias
Powered by blists - more mailing lists