lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.50.0406301956320.27457-100000@server.dimick.net>
From: denis at dimick.net (Denis Dimick)
Subject: Web sites compromised by IIS attack

Please see below..

On Wed, 30 Jun 2004, Frank Knobbe wrote:

> On Wed, 2004-06-30 at 21:08, Paul Schmehl wrote:
> > I'm right there with you, Frank, on one condition.  You hold *every* 
> > software vendor to the same standard. 
> > [...]
> > If we're going to require that software vendors produce flawless products, 
> > we're not going to have many software products.  Even Postfix, which *to my 
> > knowledge* has never had a security issue, has had numerous bug fixes. 
> > (And I think so highly of Postfix that the first thing I do when I install 
> > a new OS is replace sendmail with Postfix.)
> 
> Heya Paul,
> 
> well, there is a difference between *free* stuff you choose to pull from
> the Internet and run yourself. Community driven projects should require
> that everyone running the product is doing there part to fix flaws (even
> if it just means reporting it to someone who can fix it).

They pretty much do. That is if the application is one that users have 
found worth supporting.

> 
> The difference is with products you *pay for*. If you *buy* a product
> you trade your money (perhaps chicken in other parts of the world) in
> the amount considered to equal the worth of the product. You should
> expect to receive a working product in return.
> 
> My beef is that we started to accept broken products, and we assumes the
> task of fixing broken products ourselves. That task should not fall on
> us but on the manufacturer.

So can I assume that you would allow a vendor to remotely patch your 
system? 

> 
> > We need better methodologies for finding bugs in software. 
> 
> Right. But we also need better methodologies for vendors to fix their
> products. The emphasis here is on "the vendor fixing the broken
> product". It should not be a burden on the consumer, but on the vendor.
> 

Like I said, Do you REALLY want a vendor to install patches for you?

> And yes, I'm not targeting Microsoft in particular, although they are
> the most blatant abusers of consumer rights. I intentionally included
> all manufacturer of commercial software products.
> 

I think Frank that your starting to point out a problem for M$ and other 
vendors. They don't have the money to support there products any longer. 
M$ has somewhere like 20,000 payed programers, How many programers are 
working on open source products? 100,000 plus, maybe more. How do you 
expect a company like M$ to compete? I don't think they can.

Denis

> Cheers,
> Frank
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ