lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0407100331040.1418@qrag.fhfr.qr>
From: draht at suse.de (Roman Drahtmueller)
Subject: Microsoft laxed security is threat to internet

[...]
> How much of a percentage of discussion and disclosure on this list is
> actually counter acting script kiddie hood and how much is actually
> aiding them to carry out further malicious activities across the
> internet on a global scale?
[...]

nearly 100%, because if it is not this forum, it will be another. Are you
naive enough to believe that there is a benefit in NOT disclosing
vulnerabilities? Or that vulnerabilities cannot be investigated if the
source code of the software is not available? If there is not a clear 
"Yes, it's better if vulnerabilities and source code are not publically 
available!", then you argue for transparency and openness. 
I'd rather trust a greyhat who openly discusses his findings than a vendor 
who doesn't, because my faith in him is rationally traceable.

> Yes, you can use this list to make vendors aware of a security
> situation. Although how many users are updating straight away and how
> many users are unaware of a flaw.
> 
> I think security lists are geared up more at the vendor patching X,
> than making the consumer aware of a security flaw and asking them to
> update.

My mom (to use an example) doesn't know what you're talking about. But she 
knows about a vendor's responsibility - full-disclosure@ has contributed 
to security matters being hyped in the media, forcing vendors to take 
action. Before bugtraq, vendors didn't even have enough reason to care for 
their bugs. So don't complain about security mailing lists such as 
full-disclosure@ not meeting YOUR requirement of making the consumer aware 
of flaws - the absence of the list and its contributions wouldn't leave 
the customer any choice in the first place.

[...]

[F**k not quoted]
> They (Microsoft) need to start using "Auto Updating" home and small
> business network's, and it doesn't matter about the critics who say
> it's a breach of privacy and you have no right modifying a users
> computer. At the end of the day, we are talking about the spawning of
> very large bot net's owned by script kiddies, who can easily take down
> internet back bones and take out key infrastructure, which the very
> existence of the internet depends on.

(*)

> FD or BUGTRAQ can't save us now. Only Microsoft can. Implement Auto
> updating software for security patches without delay.
> 
> I don't have much faith in Service Pack 2 (The overhaul of Mircosoft code).
> 
> All of these Microsoft exploits will be the death of the internet one
> day, when script kiddies decide to execute the mother of all denial of
> service attacks against the internet. Trust me, bot net's big enough
> are paused and waiting for such a day.

The cause of death of the internet will not be a technical one (like a
global communication blackout), but a sociological one: countless useless
attempts to solve human problems with technical means, the loss of trust
in software vendors and other corporations due to the loss of privacy and 
respect.

(*): Looks like you have chosen already.

Roman.
-- 
 -                                                                      -
| Roman Drahtm?ller      <draht@...e.de> // "You don't need eyes to see, |
  SUSE Linux AG - Security       Phone: //             you need vision!"
| N?rnberg, Germany     +49-911-740530 //           Maxi Jazz, Faithless |
 -                                                                      -


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ