Re: Call to arms - INFORMATION ANARCHY

From: mshines (mshines@PURDUE.EDU)
Date: 11/02/01 

Message-ID:  <035e01c163eb$4cd0a0d0$4f65d280@MI543>
Date:         Fri, 2 Nov 2001 17:11:18 -0500
From: mshines <mshines@PURDUE.EDU>
Subject:      Re: Call to arms - INFORMATION ANARCHY
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Russ, et al:

Withholding information from the white hats that is well known (and widely
circulated) to the black hats is also irresponsible computing.

Timely response is necessary - and ultimately that first line of defense is
the sysop/sysadmin/Administrator or whatever you wish to call the systems
programmer.

The sysadmin needs the assistance of the vendor community (especially in the
absencse of source code) to get timely patches in place. To expect that to
take weeks or months is not reasonable. To get a fix that makes things
worse is irresponsible.

One also has to wonder what value is added in the QA processes, considering
the costs of some of this commercial software.

As has been repeated many times over - the vulnerabilities we are seeing
today have been around for over 20 years... we just keep repeating the same
mistakes. When are we going to learn from the mistakes and learn secure
programming?

Some ideas just don't make sense - like executing foreign unknown code (such
as your favorite scripting MIME documents, or applets in web pages, or
e-mail attachments from unknown sources); automatically executing code when
opening documents; or anything that can happen before the user gains control
or has an option to accept/reject an activity on the computing device.
Features are added in the interest of 'user friendliness'. We've become way
way too 'user friendly'.

I think.....

Mike Hines
---------------------------------------------------------
Michael S Hines | Phone 765-494-5875
Purdue University | FAX 765-496-1380
Information Technology@Purdue | Email mshines@purdue.edu
OS/390 Systems Programmer | Certifications:
1059 Freehafer Hall | CIA, CISA, CFE, CDP
West Lafayette, IN 47907-1061 |

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a
ntivirus.com/smex2000_rebate