lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1088649350.556.94.camel@localhost>
From: frank at knobbe.us (Frank Knobbe)
Subject: Web sites compromised by IIS attack

On Wed, 2004-06-30 at 21:08, Paul Schmehl wrote:
> I'm right there with you, Frank, on one condition.  You hold *every* 
> software vendor to the same standard. 
> [...]
> If we're going to require that software vendors produce flawless products, 
> we're not going to have many software products.  Even Postfix, which *to my 
> knowledge* has never had a security issue, has had numerous bug fixes. 
> (And I think so highly of Postfix that the first thing I do when I install 
> a new OS is replace sendmail with Postfix.)

Heya Paul,

well, there is a difference between *free* stuff you choose to pull from
the Internet and run yourself. Community driven projects should require
that everyone running the product is doing there part to fix flaws (even
if it just means reporting it to someone who can fix it).

The difference is with products you *pay for*. If you *buy* a product
you trade your money (perhaps chicken in other parts of the world) in
the amount considered to equal the worth of the product. You should
expect to receive a working product in return.

My beef is that we started to accept broken products, and we assumes the
task of fixing broken products ourselves. That task should not fall on
us but on the manufacturer.

> We need better methodologies for finding bugs in software. 

Right. But we also need better methodologies for vendors to fix their
products. The emphasis here is on "the vendor fixing the broken
product". It should not be a burden on the consumer, but on the vendor.

And yes, I'm not targeting Microsoft in particular, although they are
the most blatant abusers of consumer rights. I intentionally included
all manufacturer of commercial software products.

Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040630/da0b03ae/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ