Re: [Full-Disclosure] Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
From: Tim (tim-security_at_sentinelchicken.org)
Date: 02/18/04
- Previous message: Bernie, CTA: "[Full-Disclosure] InfoSec sleuths beware, Microsoft's attorneys may be knocking at your door"
- In reply to: gabriel rosenkoetter: "[Full-Disclosure] Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution"
- Next in thread: insecure: "Re: [Full-Disclosure] Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution"
- Reply: insecure: "Re: [Full-Disclosure] Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Wed, 18 Feb 2004 12:04:33 -0800
> The first is that this IE bug is life-threatening. It's not.
(look below)
> The second is that IE cost the users' money. It didn't.
IE is "part of the OS". Therefore users did pay for it.
> It's not my moral responsibility to list every single component
> that's wrong if I recall the vehicle. Microsoft has, several times
> now, recalled the vehicle and replaced it for free.
No, not every component. Just the ones that could lead to catastrophic
failure. Does the auto industry report every bug that could lead to
catastrophic failure without being forced to? No. Should they morally?
Yes.
> Where's the problem?
> This is outrageous FUD. Web browsers are not used in medical
> appliances.
Oh? Have you worked in a hospital? I haven't, but I am willing to bet
a lot of medical records and even appliances are run on Windows.
Correct me if I am wrong.
Regardless, we aren't just talking about the most obvious industries
like the medical. What about cars? I believe M$ is trying to put CE or
some variant into cars now. What about SCADA systems? Military?
If you haven't figured it out yet, in a realtively small number of
years, every freaking device you buy that does anything useful will have
some kind of OS on it. If our current standard of security isn't
raised... well fill in the blank.
In any case, the comment I was originally responding to was:
"Do we expect even Sun or Apple to tell us about every buffer overflow
they fix? Hell, do we expect Linux or NetBSD to do so?"
So you are the one who broadened the scope outside of browsers. I am
merely responding to your narrow-minded view of what a software
developer's responsibility is in situations like this. I am not just
attacking M$. Most software sucks. Software developers and their
companies need to be held more accountable for their actions.
Respond if you wish, but I have made my statements and will no longer
comment on this thread.
tim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Bernie, CTA: "[Full-Disclosure] InfoSec sleuths beware, Microsoft's attorneys may be knocking at your door"
- In reply to: gabriel rosenkoetter: "[Full-Disclosure] Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution"
- Next in thread: insecure: "Re: [Full-Disclosure] Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution"
- Reply: insecure: "Re: [Full-Disclosure] Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
