Re: [Full-Disclosure] Web sites compromised by IIS attack

• Previous message: Denis Dimick: "Re: [Full-Disclosure] Web sites compromised by IIS attack"
• In reply to: Paul Schmehl: "Re: [Full-Disclosure] Web sites compromised by IIS attack"
• Next in thread: Aditya, ALD [ Aditya Lalit Deshmukh ]: "Re: [Full-Disclosure] Web sites compromised by IIS attack (fully off topic!)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Paul Schmehl <pauls@utdallas.edu>
Date: Wed, 30 Jun 2004 20:14:32 -0700 (PDT)

Paul,

If I'm understanding you correctly you don't understand Linux/Redhat. Or
your just being silly to make a point. sendmail, wftp , php, etc.. are not
owned by Redhat. Each of these applications are owned buy someone else and
Redhat is allowed to re-distribute them.

And using the number of fixes/patches to an application as an indication
of how god it is, is a bad thing. Using this logic you would have to say
M$ is a good product.

Denis

On Wed, 30 Jun 2004, Paul Schmehl wrote:

> --On Wednesday, June 30, 2004 6:27 PM -0500 Frank Knobbe <frank@knobbe.us>
> wrote:
> >
> > Instead of requiring the consumer to install patches, Microsoft should
> > be required to fix their own, broken products. That means that they
> > should send their army of engineers (a lot of which are now carrying the
> > CISSP certification) to the consumers and have their engineers correct
> > the flaws in their products. They sold flawed products, they should fix
> > it.
> >
> I'm right there with you, Frank, on one condition. You hold *every*
> software vendor to the same standard. IOW, "Apache should be required to
> fix their own, broken products"..."RedHat Linux should be
> required"......"Oracle should be
> required"....."sendmail"....."wuftpd"....."php"..."mysql"...etc., etc.,
> etc., ad infinitum, ad nauseum.
>
> Be careful what you wish for. You may actually get it.
>
> I just upgraded my workstation from RedHat 9.0 to Fedora Core 1. I then
> ran up2date and found that there were 142 software packages that needed to
> be updated. Just before I did that, I run portupgrade on one of my FreeBSD
> boxes. It had 17 programs that had to be updated.
>
> If we're going to require that software vendors produce flawless products,
> we're not going to have many software products. Even Postfix, which *to my
> knowledge* has never had a security issue, has had numerous bug fixes.
> (And I think so highly of Postfix that the first thing I do when I install
> a new OS is replace sendmail with Postfix.)
>
> I attended a presentation yesterday for a security product in the
> application firewall field. During the presentation, the CISSP stated that
> "in every 1000 lines of code there will be 15 errors". I don't know if I'd
> agree with that - I suspect most coders are a bit better than that - but I
> had to chuckle, because, of course, I immediately thought, "So you admit
> that your code is riddled with holes!"
>
> We need better methodologies for finding bugs in software. We need better
> training of programmers. We need established standards for coding that
> would define things like bounds checking. We need a *lot* of improvements
> in software development, and those improvements need to be *industry-wide*,
> not just Microsoft.
>
> Every time I read about a security vendor with a remote hole in their
> products, I think, "How in the world can they identify attacks, if they
> can't even see them in their own code?"
>
> Clearly the problem is a *lot* bigger than Microsoft alone.
>
> Paul Schmehl (pauls@utdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Denis Dimick: "Re: [Full-Disclosure] Web sites compromised by IIS attack"
• In reply to: Paul Schmehl: "Re: [Full-Disclosure] Web sites compromised by IIS attack"
• Next in thread: Aditya, ALD [ Aditya Lalit Deshmukh ]: "Re: [Full-Disclosure] Web sites compromised by IIS attack (fully off topic!)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [security bulletin] HPSBUX02108 SSRT061133 rev.13 - HP-UX Running Sendmail, Remote Execution ... The information in this Security Bulletin should be acted upon as soon as possible. ... This bulletin will be revised as other versions of Sendmail become available. ... HP-UX B.11.11 ... Security Bulletins via Email: ... (Bugtraq) [Full-Disclosure] RE: [PHC] Sermon #3 (w/ reply to Paul Schmehl & others) ... Subject: RE: [PHC] Sermon #3 (w/ reply to Paul Schmehl ... awareness alone does not lead to security. ... attackers: blackhats/professionals ... (Full-Disclosure) [security bulletin] HPSBUX02108 SSRT061133 rev.9 - HP-UX running Sendmail, Remote Execution ... SUPPORT COMMUNICATION - SECURITY BULLETIN ... This bulletin will be revised as other versions of Sendmail become ... To determine if an HP-UX system has an affected version, ... Security Bulletins via Email: ... (Bugtraq) [security bulletin] HPSBUX02108 SSRT061133 rev.10 - HP-UX running Sendmail, Remote Execution ... SUPPORT COMMUNICATION - SECURITY BULLETIN ... This bulletin will be revised as other versions of Sendmail ... To determine if an HP-UX system has an affected version, ... Security Bulletins via Email: ... (Bugtraq) RE: [fw-wiz] concerning ~el8 / project mayhem ... I like the contributions from Tina and Paul here. ... This has become a major credibility issue for the security industry. ... vulnerabilities aren't ever exploited, and those that are are not visible ... (Firewall-Wizards)