RE: [Full-Disclosure] Who's to blame for malicious code?

From: Ron DuFresne (dufresne_at_winternet.com)
Date: 01/22/04

  • Next message: Gregh: "Re: [Full-Disclosure] Anti-MS drivel" 
    To: "Schmehl, Paul L" <pauls@utdallas.edu>
Date: Wed, 21 Jan 2004 22:59:03 -0600 (CST)

            [headers snipped]

    >
    > Yes, I believe it was me, although you could easily verify that with the
    > archives.
    >
    > > <perhaps I'm thinking it was you and in fact it
    > > was someone else> Either the arguement was false then and
    > > windows admins were and remain just plain lazy, or the
    > > argument was/is true and there's a problem within the core
    > > OS offered up from redmond...
    > >
    > This is where we disagree. You contend that admins are lazy. I contend
    > that that is not the case at all, and I take issue with that
    > characterization because it misrepresents the problem. The problem is
    > deploying patches to an enterprise in a timely manner. Just because
    > admins don't get patches deployed in time does not mean they are lazy or
    > don't care. They may have problems you can't even imagine in trying to
    > get the patches deployed. But the fact remains, *if* the patches get
    > deployed, the problem is solved and the malicious code has no impact.
    >
    > I don't see how these two points are at odds with each other or that one
    > "disproves" the other.
    >

    Which further proves the point that keeping up to date on patches is not
    the answer. Not for the home user whom most often lacks the knowledge of
    the threats they really face within the env that is the Internet, nor for
    the corporate enterprise, where dependancies and uptimes and SLA' and such
    as well as change managment processes do not conform well to quarterly
    patching let alone weekly or worse, trying to keep up on whether or not
    this patch undoes what last weeks patches did.

    > My point is not that Microsoft is blameless. They obviously are not.
    > My point is that even though Microsoft could certainly be doing a much
    > better job, the problem *still* won't be solved if users don't patch.
    > That is true of *any* OS. Tobias wants to lay *all* the blame at
    > Microsoft's feet, and I disagree. Would you place all the blame on the
    > openssl developers if someone gets hacked through an openssl vuln six
    > months after the patch is released? (There are some here who do.)
    > Would you blame Linus for vulns in the Linux kernel that get hacked 3
    > months after a patch is available?
    >

    If Linus acquired all the rights to all that SCO code that apparantly is
    linux, and it all suffered one open wound compounding another with
    bi-weekly and weekly patches reversing each time you installed a new
    printer or card into the box, I think he'd likely be getting hammered in a
    list like this pretty hard.

    > There's a real double standard going on here. If an open source program
    > has a problem, everyone blames the users when they don't patch and
    > praises open source for being...well...open. Yet in the *exact* same
    > scenario, they want to assign *all* the blame to Microsoft, and that
    > does a disservice to the Internet as a whole and compounds the problem,
    > because it communicates to users that, if you use Microsoft, you are not
    > to blame for the malicious code that your machine was compromised by.
    >

    Remnants of the morris worm are not still pounding at my gateway devices
    and triggering countless IDS systems across the net, let alone reinfecting
    new systems faster then one can patch them, while nimda, code-red, and
    slammer still are, and likely to for years to come. the anti-m$ outcry is
    not something totally new, ask Russ Cooper about his days on the old
    pretty well defunct firewalls list, prior to his putting up ntbugtraq, he
    was almost a lone wolf in redmonds defense back then. No, the outcry is
    not new, but the veracity and spread, and into the voices of those that
    have to administer those various windows corporate systems are joining in
    is what's different in the latest round. It's not just the "anti-M$"
    crowd, it's redmond's own customer base starting to wind up. that has to
    be a a wakeup call for dramtic action from this major vendor, who might
    have joined in on personal firewall day if only to adviise and remind home
    users about patching and about enabling their ICF subsystems, and closing
    all those unsafe defaults installed open...they have the cash for such an
    endeavour.

    > Until we communicate a *consistent* message to users that *they* also
    > have some responsibility in the battle against malicious code, this
    > problem will never go away.
    >
    > Perhaps that's what the anti-MS crowd really wants. That way they can
    > continue to carp and complain about MS without *really* solving the
    > problem.
    >
    > Hopefully that clarifies my position.
    >

    muchly, sorry to push you to the point of clarity. but, let me pose a
    question;

    if the *bsd maintainers, or those charged with the linux kernel and the
    various linux apps, or say OS X folks wrote code that was repeatedly, time
    and again worked over by some of the simple issues that again and again
    affect each version of windows OS', would they remain as popular as they
    have with those disillusioned by that which spews out of redmond? Perhaps
    not, afterall there is a key difference in the marketing and cost
    associated with the products...

    Or, another question;

    I was being courted a few years ago to join a team to move the hotmail and
    msn systems off sun boxen to their own OS, has that task yet been
    completed and if not why, or better yet, why were they not installed first
    show on a windows OS?

    Thanks,

    Ron DuFresne
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    "Cutting the space budget really restores my faith in humanity. It
    eliminates dreams, goals, and ideals and lets us get straight to the
    business of hate, debauchery, and self-annihilation." -- Johnny Hart
            ***testing, only testing, and damn good at it too!***

    OK, so you're a Ph.D. Just don't touch anything.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Gregh: "Re: [Full-Disclosure] Anti-MS drivel"

    Relevant Pages

    • Re: Learning process
      ... a million users on Windows would be ... Most of the patches are fixes for problems in security and a lot of ... pile of games or the SQL blaster which required 2 patchs - patch 1, ... holes *aren't* patched almost immediately. ...
      (alt.comp.lang.learn.c-cpp)
    • So Windows Update is a dog, now what?
      ... extension, that means that the soon-to-be-released Windows Update, ... How about someone getting serious about patch management over at ... In their explanation of the severity rating scheme, the Microsoft ... incredibly reliable mechanism for getting patches onto systems, ...
      (NT-Bugtraq)
    • Re: Windows patch mgmt.
      ... Subject: Windows patch mgmt. ... St. Benard's Update Expert to push out the patches and to verify they've ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • Problems with MS03-042 (KB826232) patch?
      ... On a variety of computers ranging from Windows 2000 SP2 to SP4 plus all ... previous patches, whenever the KB826232 patch is installed, then other ... patches to the entire enterprise. ...
      (NT-Bugtraq)
    • Re: Cryptogram Comment
      ... >> bother me with Windows questions. ... >> machines are broken. ... Just like if you don't know to tune up your car every year then you ... > and Linux and other open OS's make all patches FREE to redistribute. ...
      (sci.crypt)