Re: How long?
From: Mike Arnold (mike@midkaemia.fsnet.co.uk)Date: 08/20/02
- Previous message: John Canty: "RE: Problems with Virii Defintions"
- In reply to: Teodorski, Chris: "How long?"
- Next in thread: Wesley Shields: "Re: How long?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Mike Arnold <mike@midkaemia.fsnet.co.uk> To: "Teodorski, Chris" <cteodorski@ppg.com>, "Security-Basics (E-mail)" <security-basics@securityfocus.com> Date: Tue, 20 Aug 2002 22:33:26 +0100
On Monday 19 Aug 2002 4:28 pm, Teodorski, Chris wrote:
> Does anyone know what the typical (average) lag time usually is from the
> time a hole is announced by Microsoft till we see that exploit being
> exploited? How long before the head script kiddie developes a tool to
> automate the exploit?
Quite funny, but the term "script kiddie" usually means someone who takes
someone else's code and runs it without knowledge of it's technical
functioning. Call them what you will, they serve a valuable contribution to
security education.
Anyway on with a rant ... had a dull day at work :)
I'm a firm believer in the fact that, like it or not, the Black hats
generally are well ahead of the game. They are actively coordinating work and
exploiting code every minute of every day. There may be the odd chance that
the security community finds these holes before they do, but chances are they
have been using these for years in some cases.
Take for example, the SSL implementation "features" published recently. IE
5.0 I believe is the first version acredited (maybe spelt wrong, who knows!)
with it. When was that released? At the end of the day, this is not a new
vulnerability (It is a new *published* vulnerability, but not a *new*
vulnerability). IE 5.0 was released in 1999 I believe. That's when the Black
Hat community will almost certainly have been ripping it apart for
vulnerabilities. Probably even before that if - sorry, silly me - because
they had beta copies.
On average, yeah, Microsoft take a bloody long time to fix things. Complex
code? Maybe! Cheap PR? Almost certainly! The Open Source community, however,
reacted decisively, effectively and more professionally in my opinion! But
why worry now, we've been living with it for most likely 3 years.
At the end of the day there are no easy solutions to this, and while I would
like to blame Microsoft, it isn't solely their problem/issue. Until customers
insist on documented, standardised levels of security before they choose to
pay for their products and insist on answers to difficult questions when
those standards aren't met then we will continue to have these problems.
I personally would rather take my chances on code I can compile and check
myself if I need to. Code I know will be patched with speed and efficiency
when a problem is known. And a community that tells you when, how and why any
codebase may have been compromised. Instead of the corporate giant that won't
even tell you what the problem is!
At the end of the day, people *choose* to pay for Microsoft products, and
they *choose* to accept the terms and conditions of the Micosoft patching
policy. Only *they* can change that. Until end users stop blindly following
the features, and instead look for security and stability, that's how it will
be. I laugh at M$'s inability to patch their products in a timely fashion
because I have chosen not to use them unless I have to, other people have
chosen the opposite path, and good luck to them - it keeps me in a job which
M$ may say justifies their existence! It's a vicious circle.
<end rant>
Mike
--"In their capacity as a tool, computers will be but a ripple on the surface of our culture. In their capacity as intellectual challenge, they are without precedent in the cultural history of mankind." Edsger Wybe Dijkstra on Computers
- Previous message: John Canty: "RE: Problems with Virii Defintions"
- In reply to: Teodorski, Chris: "How long?"
- Next in thread: Wesley Shields: "Re: How long?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
