lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040218200433.GB23268@sentinelchicken.org>
From: tim-security at sentinelchicken.org (Tim)
Subject: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution

> The first is that this IE bug is life-threatening. It's not.

(look below)

> The second is that IE cost the users' money. It didn't.

IE is "part of the OS".  Therefore users did pay for it.

> It's not my moral responsibility to list every single component
> that's wrong if I recall the vehicle. Microsoft has, several times
> now, recalled the vehicle and replaced it for free.

No, not every component.  Just the ones that could lead to catastrophic
failure.  Does the auto industry report every bug that could lead to
catastrophic failure without being forced to?  No.  Should they morally?
Yes.

> Where's the problem?
> This is outrageous FUD. Web browsers are not used in medical
> appliances.

Oh?  Have you worked in a hospital?  I haven't, but I am willing to bet
a lot of medical records and even appliances are run on Windows.
Correct me if I am wrong.

Regardless, we aren't just talking about the most obvious industries
like the medical.  What about cars?  I believe M$ is trying to put CE or
some variant into cars now.  What about SCADA systems?  Military?

If you haven't figured it out yet, in a realtively small number of
years, every freaking device you buy that does anything useful will have
some kind of OS on it.  If our current standard of security isn't
raised... well fill in the blank. 

In any case, the comment I was originally responding to was:
"Do we expect even Sun or Apple to tell us about every buffer overflow
they fix? Hell, do we expect Linux or NetBSD to do so?"

So you are the one who broadened the scope outside of browsers.  I am
merely responding to your narrow-minded view of what a software
developer's responsibility is in situations like this.  I am not just
attacking M$.  Most software sucks.  Software developers and their
companies need to be held more accountable for their actions.

Respond if you wish, but I have made my statements and will no longer
comment on this thread.

tim


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ