lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040218171259.GA23268@sentinelchicken.org>
From: tim-security at sentinelchicken.org (Tim)
Subject: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution

> Oh, give me a break. Some developer went, "Oh, hey, I'm not bounds
> checking there. Okay, fix that," and the changes filtered out into
> the release of IE. You don't release "security patches" except in
> response to publication of a serious vulnerability, and especially
> in response to a problem that's systemic. This is *a* buffer
> overflow. Do we expect even Sun or Apple to tell us about every
> buffer overflow they fix? Hell, do we expect Linux or NetBSD to do
> so? C'mon, people. If you're going to be quoted for publication, try
> to make statements reasonable to the actual importance of the issues
> at hand.

Say you are an engineer at a large car manufacturing company.  Suppose,
6 months after the 2004 model of your sedan goes out the door, you
discover, as an engineer who helped build it, that the car's frame is
flawed.  Suppose that it is so flawed that after 3 years, it may break
due to normal use, potentially causing bad crashes.

Is it your moral obligation to notify customers?  Sure you are going to
fix it in next year's model, that is a given.  But what about all those
people with a potentially deadly model?


Obviously, this is not the auto industry.  Some will argue that we are
not talking about life-and-death situations here.  But the reality is,
we are.  Software bugs can cause death, and have before, both on the
small scale, and the large scale.  (can you say "power outage"?) As the
world moves forward with "progress", it will become ever more important.
It is about time that IT professionals realize this and start expecting
quality out of the products they buy.

Hope that puts it into perspective for some people.

tim


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ