| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dufresne at winternet.com (Ron DuFresne) Subject: Who's to blame for malicious code? [headers snipped] > > Yes, I believe it was me, although you could easily verify that with the > archives. > > > <perhaps I'm thinking it was you and in fact it > > was someone else> Either the arguement was false then and > > windows admins were and remain just plain lazy, or the > > argument was/is true and there's a problem within the core > > OS offered up from redmond... > > > This is where we disagree. You contend that admins are lazy. I contend > that that is not the case at all, and I take issue with that > characterization because it misrepresents the problem. The problem is > deploying patches to an enterprise in a timely manner. Just because > admins don't get patches deployed in time does not mean they are lazy or > don't care. They may have problems you can't even imagine in trying to > get the patches deployed. But the fact remains, *if* the patches get > deployed, the problem is solved and the malicious code has no impact. > > I don't see how these two points are at odds with each other or that one > "disproves" the other. > Which further proves the point that keeping up to date on patches is not the answer. Not for the home user whom most often lacks the knowledge of the threats they really face within the env that is the Internet, nor for the corporate enterprise, where dependancies and uptimes and SLA' and such as well as change managment processes do not conform well to quarterly patching let alone weekly or worse, trying to keep up on whether or not this patch undoes what last weeks patches did. > My point is not that Microsoft is blameless. They obviously are not. > My point is that even though Microsoft could certainly be doing a much > better job, the problem *still* won't be solved if users don't patch. > That is true of *any* OS. Tobias wants to lay *all* the blame at > Microsoft's feet, and I disagree. Would you place all the blame on the > openssl developers if someone gets hacked through an openssl vuln six > months after the patch is released? (There are some here who do.) > Would you blame Linus for vulns in the Linux kernel that get hacked 3 > months after a patch is available? > If Linus acquired all the rights to all that SCO code that apparantly is linux, and it all suffered one open wound compounding another with bi-weekly and weekly patches reversing each time you installed a new printer or card into the box, I think he'd likely be getting hammered in a list like this pretty hard. > There's a real double standard going on here. If an open source program > has a problem, everyone blames the users when they don't patch and > praises open source for being...well...open. Yet in the *exact* same > scenario, they want to assign *all* the blame to Microsoft, and that > does a disservice to the Internet as a whole and compounds the problem, > because it communicates to users that, if you use Microsoft, you are not > to blame for the malicious code that your machine was compromised by. > Remnants of the morris worm are not still pounding at my gateway devices and triggering countless IDS systems across the net, let alone reinfecting new systems faster then one can patch them, while nimda, code-red, and slammer still are, and likely to for years to come. the anti-m$ outcry is not something totally new, ask Russ Cooper about his days on the old pretty well defunct firewalls list, prior to his putting up ntbugtraq, he was almost a lone wolf in redmonds defense back then. No, the outcry is not new, but the veracity and spread, and into the voices of those that have to administer those various windows corporate systems are joining in is what's different in the latest round. It's not just the "anti-M$" crowd, it's redmond's own customer base starting to wind up. that has to be a a wakeup call for dramtic action from this major vendor, who might have joined in on personal firewall day if only to adviise and remind home users about patching and about enabling their ICF subsystems, and closing all those unsafe defaults installed open...they have the cash for such an endeavour. > Until we communicate a *consistent* message to users that *they* also > have some responsibility in the battle against malicious code, this > problem will never go away. > > Perhaps that's what the anti-MS crowd really wants. That way they can > continue to carp and complain about MS without *really* solving the > problem. > > Hopefully that clarifies my position. > muchly, sorry to push you to the point of clarity. but, let me pose a question; if the *bsd maintainers, or those charged with the linux kernel and the various linux apps, or say OS X folks wrote code that was repeatedly, time and again worked over by some of the simple issues that again and again affect each version of windows OS', would they remain as popular as they have with those disillusioned by that which spews out of redmond? Perhaps not, afterall there is a key difference in the marketing and cost associated with the products... Or, another question; I was being courted a few years ago to join a team to move the hotmail and msn systems off sun boxen to their own OS, has that task yet been completed and if not why, or better yet, why were they not installed first show on a windows OS? Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists