lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: dufresne at (Ron DuFresne)
Subject: Who's to blame for malicious code?

	[headers snipped]

> Yes, I believe it was me, although you could easily verify that with the
> archives.
> >  <perhaps I'm thinking it was you and in fact it
> > was someone else>  Either the arguement was false then and
> > windows admins were and remain just plain lazy, or the
> > argument was/is true and there's a problem within the core
> > OS offered up from redmond...
> >
> This is where we disagree.  You contend that admins are lazy.  I contend
> that that is not the case at all, and I take issue with that
> characterization because it misrepresents the problem.  The problem is
> deploying patches to an enterprise in a timely manner.  Just because
> admins don't get patches deployed in time does not mean they are lazy or
> don't care.  They may have problems you can't even imagine in trying to
> get the patches deployed.  But the fact remains, *if* the patches get
> deployed, the problem is solved and the malicious code has no impact.
> I don't see how these two points are at odds with each other or that one
> "disproves" the other.

Which further proves the point that keeping up to date on patches is not
the answer.  Not for the home user whom most often lacks the knowledge of
the threats they really face within the env that is the Internet, nor for
the corporate enterprise, where dependancies and uptimes and SLA' and such
as well as change managment processes do not conform well to quarterly
patching let alone weekly or worse, trying to keep up on whether or not
this patch undoes what last weeks patches did.

> My point is not that Microsoft is blameless.  They obviously are not.
> My point is that even though Microsoft could certainly be doing a much
> better job, the problem *still* won't be solved if users don't patch.
> That is true of *any* OS.  Tobias wants to lay *all* the blame at
> Microsoft's feet, and I disagree.  Would you place all the blame on the
> openssl developers if someone gets hacked through an openssl vuln six
> months after the patch is released?  (There are some here who do.)
> Would you blame Linus for vulns in the Linux kernel that get hacked 3
> months after a patch is available?

If Linus acquired all the rights to all that SCO code that apparantly is
linux, and it all suffered one open wound compounding another with
bi-weekly and weekly patches reversing each time you installed a new
printer or card into the box, I think he'd likely be getting hammered in a
list like this pretty hard.

> There's a real double standard going on here.  If an open source program
> has a problem, everyone blames the users when they don't patch and
> praises open source for  Yet in the *exact* same
> scenario, they want to assign *all* the blame to Microsoft, and that
> does a disservice to the Internet as a whole and compounds the problem,
> because it communicates to users that, if you use Microsoft, you are not
> to blame for the malicious code that your machine was compromised by.

Remnants of the morris worm are not still pounding at my gateway devices
and triggering countless IDS systems across the net, let alone reinfecting
new systems faster then one can patch them, while nimda, code-red, and
slammer still are, and likely to for years to come.  the anti-m$ outcry is
not something totally new, ask Russ Cooper about his days on the old
pretty well defunct firewalls list, prior to his putting  up ntbugtraq, he
was almost a lone wolf in redmonds defense back then.  No, the outcry is
not new, but the veracity and spread, and into the voices of those that
have to administer those various windows corporate systems are joining in
is what's different in the latest round.  It's not just the "anti-M$"
crowd, it's redmond's own customer base starting to wind up.  that has to
be a a wakeup call for dramtic action from this major vendor, who might
have joined in on personal firewall day if only to adviise and remind home
users about patching and about enabling their ICF subsystems, and closing
all those unsafe defaults installed open...they have the cash for such an

> Until we communicate a *consistent* message to users that *they* also
> have some responsibility in the battle against malicious code, this
> problem will never go away.
> Perhaps that's what the anti-MS crowd really wants.  That way they can
> continue to carp and complain about MS without *really* solving the
> problem.
> Hopefully that clarifies my position.

muchly, sorry to push you to the point of clarity.  but, let me pose a

if the *bsd maintainers, or those charged with the linux kernel and the
various linux apps, or say OS X folks wrote code that was repeatedly, time
and again worked over  by some of the simple issues that again and again
affect each version of windows OS', would they remain as popular as they
have with those disillusioned by that which spews out of redmond?  Perhaps
not, afterall there is a key difference in the marketing and cost
associated with the products...

Or, another question;

I was being courted a few years ago to join a team to move the hotmail and
msn systems off sun boxen to their own OS, has that task yet been
completed and if not why, or better yet, why were they not installed first
show on a windows OS?


Ron DuFresne
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

Powered by blists - more mailing lists