lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.50.0406301945030.27457-100000@server.dimick.net>
From: denis at dimick.net (Denis Dimick)
Subject: Web sites compromised by IIS attack

Frank,

I think your barking up the wrong tree here. Any admin worth his/her 
salt 
would at least keep up with security, and try to keep current on all the 
required patches. There's very little reason to expect, let alone blame M$ 
for acting they way they have always acted.

As long as acting this way will make them money, then there going to keep 
acting this way. If your really mad, then go after the retarded CIO's that 
don't see antthing wrong with giving money to companies that act this way.

Denis


On Wed, 30 Jun 2004, Frank Knobbe wrote:

> On Wed, 2004-06-30 at 15:58, TIERNAN RAY, BLOOMBERG/ NEWSROOM: wrote:
> > [...] Sites running Microsoft server software, such as the
> > Kelley Blue Book, were infected with malicious code.
> > [...]
> >      ``Our site was infected,'' said Robyn Eckard, a spokeswoman
> > for Kelley Blue Book, an automotive pricing site at
> > http://www.kbb.com. Users tipped off the site Wednesday that one
> > of 15 Web servers running Microsoft's IIS was infected, she said.
> > [...]
> 
> If this email is real (and the headers do look legit), I have to applaud
> Kelley Blue Book for coming forward with this information. It takes a
> bit of guts to make an announcement like this. But I don't think
> Kelley's Admins are to blame. 
> 
> Administrators should spend their time on keeping systems operating,
> setting up jobs, and satisfying business requirements. They should not
> have to spend their time fixing broken products.
> 
> No. The blame squarely falls on the manufacturers of broken products.
> They should produce software that works. That includes QA, product
> testing, due diligence etc. (Insert your favorite car analogy here)
> 
> I think we all have tolerated broken software products for too long. It
> is high time to demand better products, or to select alternative
> products. We need to stop accepting software riddled with flaws and
> instead demand better quality software. No other products besides
> software is purchased with flaws -- knowingly at least, and consumer
> oriented organizations are making sure that consumers know about
> defects. Why should software be different? Because it is more convenient
> for the manufacturer and not the consumer to fix it after the sale? We
> should start treating software like any other products. If it's broken,
> the producer is required to fix it, not the consumer. 
> 
> No, I do not blame the companies of compromised servers, nor their
> admins. I blame the manufacturer of the product. So, with sympathy to
> Kelley Blue Book, and all other companies that had been affected, I say
> "Shame on you, Microsoft."
> 
> Instead of requiring the consumer to install patches, Microsoft should
> be required to fix their own, broken products. That means that they
> should send their army of engineers (a lot of which are now carrying the
> CISSP certification) to the consumers and have their engineers correct
> the flaws in their products. They sold flawed products, they should fix
> it.
> 
> Regards,
> Frank
> 
> 
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ