lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1084557928.7813.48.camel@coruscant.weisserth.net>
From: tobias at weisserth.de (Tobias Weisserth)
Subject: New therad: sasser, costs, support etc
	alltogether

Hi Radule,

On Fri, 2004-05-14 at 17:27, Radule Soskic wrote:
> I can't post this to all the threads that I would like to, so I'm
> opening a new one. 
> 
> Follow this:
> 
> 1. MS is wrongdoing by releasing (and charging for use of) software that
> has bugs in it. Users of such software have losses in time/money by
> trying to keep up with applying pathches, or just by trying to keep the
> uptime high.

Guess what. Everybody releases software that has bugs in it. That's
totally not the point. What MS does wrong is the non-disclosure of
security, the sometimes bad quality of the patches and their late and
untimely release (though the later isn't true with Sasser).

Still, these shortcomings (a more suitable word than wrongdoing) are no
crime.

> 2. Admins are wrongdoing by not applying patches to the systems they
> maintain. There are losses tied to such misspractice, too.

This is again a shortcoming but no crime. If I don't patch and nobody
exploits me, then where is the problem?

> 3. Worm authors are wrongdoing by writing software that propagate
> through the networks by exploiting all of the above. Again, the losses
> occur in time/money spent to remove the worms from the systems affected.

There's the financial loss on one side and the fact that they are in
fact criminals. All I'm asking for is that these crimes be punished by
the letters of the law.

> It is obvious that almost every legal system in the world treats #3 as
> crime, while #2 and #1 are broadly tolerated.

Exactly my point.

> Noone here is against the
> book of law, but it just seems to be in contrast to the natural and
> intuitive feeling of justice that majority of people might have
> regarding the issues like these. See - only one of the three wrongdoers
> is being punished. 

That's because the other two simply are shortcomings in contrast to
actually wrongdoing or crime with intent.

> Is it right? Or - is it wrong? 

Well, should a 16 year old girl, wandering late about New York Central
Parc be punished when somebody rapes her? Obviously she did something
wrong, wandering late at night and without protection in a dangerous
place? Should this wrongdoing of her be used in the legal defence of the
guy raping her?

> BTW, I have a funny feeling that damages/losses caused by #3 might very
> often be far less than the ones caused by #2 and #1. 

If I don't patch a bug and nobody exploits it I don't suffer damages.
Now, is not patching immediately leading to damages? Only if someone
actually exploits this bug. *Their* criminal behaviour is needed to make
my shortcoming a part of the problem.

> Am I alone?

I guess many people are scrambling to the rescue of this kiddo because
his victims were using "M$" products. Would the victims have been users
of OpenBSD products or some Linux distribution or VMS or some other
superior product, everybody would have gone for the kids head.

Let's be colourblind for a moment, OK? Let's pretend you don't know what
bug has been exploited on what product. Let's still suppose there has
been a patch available for two weeks and the problem was well announced
in the media. Now let's look at what the Sasser author has done, the
damages he has caused. I guess the reaction would have looked a bit
different. I've never heard of a fund being raised for the guys that
broke into the Debian server (well, they haven't been caught yet...).

This whole debate about MS guilt is hypocritical.

Who am I talking to anyway?! I'm not even using a single MS product...

Tobias


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ