Re: controversial paper

From: Paul Schlyter (pausch.DO.NOT.SPAM.ME_at_stockholm.bostream.se)
Date: 09/29/03


Date: Mon, 29 Sep 2003 08:41:49 +0200

George Ou wrote:
>
> On Sun, 28 Sep 2003 19:42:36 +0200, Mok-Kong Shen
> <mok-kong.shen@t-online.de> wrote:
> >Cypher wrote:
> >>
> >> The guy said that ALL vulnerabilities were now patched in windows, and you
> >> completly forgot the context, he was comparing them to a vacine. New
> >> virus(human) will come, old ones will mutate, the vacine is not for life.
> >> You guys had to take a perfectly clear statment and twist it all around.
> >
> >But there does seem to be some interpretation problem.
> >'All known vulnerabilities were now patched' would instead
> >not have been subjected to dispute, I suppose.
> >
> >M. K. Shen
>
> Ok, I apologize for not being completely clear. The context of my
> statement was in response to another statement that some critical
> vulnerabilities not related to Blaster were still not patched. Cypher
> has pretty much explained my statement about as good as I ever can.
>
> However, Mr. Schlyter and Mr. Amling's posts are cheap shots. They
> didn't even bother to look at the context or attempt to get any
> clarification.

OTOH one should strive to express oneself such that one's claims
don't get a completely different meaning when taken out of context,
because whatever you post and with whatever intent, someone will
inevitably read it out of context some time.

Thus, instead of "ALL vulnerabilities" you could have said e.g.
"All known Blaster-related vulnerabilities" --- doing so would
have saved both you and others of some typing.

BTW, someone else commented on this too, and your response was
no clarification -- you merely repeated your "ALL vulnerabilities".
Check out Message-ID: <c1dfnv4ngmnche11finck8o4gcca3pfbdm@4ax.com>,
and note that no-one ever claimed that "ALL vulnerabilities" had
been patched on any other OS. Also, criticsising Microsoft isn't
the same as "Microsoft hatred" as you claimed there. Here's that post:
----------------------------------------------------------------------

On Sun, 28 Sep 2003 23:56:12 -0400, "Douglas A. Gwyn"
<DAGwyn@null.net> wrote:

>George Ou wrote:
>> You're being silly or disingenuous. Any idiot would understand that I
>> meant ALL critical vulnerabilities are NOW patched. I never said that
>> there would never be another vulnerability released for Windows, all
>> my other posts are consistent with that.
>
>You keep missing the point. NOT all critical vulnerabilities
>are patched, just the ones that Microsoft has been made aware
>of and has developed patches for. It is almost certain that
>some hacker somewhere already knows of another vulnerability
>but has done nothing to bring it to Microsoft's attention.

You're the one that can't get it in to your thick skull that the same
holds true for any other OS or application, even Open Source. Just
look at BIND, Sendmail, or Apache. They're constantly discovering new
vulnerabilities every month, and I'm sure there are some holes that
are kept secret on those things too. Again, 99.99% of hackers and
WORMS rely on publicly known issues.

My advice to security professionals is that they worry only about the
known issues and let the researchers work on the unknown ones. 99% of
all networks do not have all their known holes plugged. Plugging all
of the known ones means you're in the top 1 percentile in terms of
hardness and the hackers will usually take an easier target.

>Further, not all Windows systems have installed the available
>patches, which is how the Blaster worm caused so much damage
>several weeks after the patch became available from Microsoft.

No, not all Windows systems have installed all available patches. But
one thing is crystal clear, Windows systems are now the best patched
of all the other systems. That's not because Microsoft users are more
diligent, but because they have been forced to clean up by blaster.
UNIX and Oracle systems are much more vulnerable to known issues on
the internal network because their immune systems are less exercised
due to the lack of WORMS written for them. But mark my word, if the
UNIX crowd such as McNealy and big mouth Ellison keeps ranting
"Unbreakable", it's gonna come back and bite them real hard. The day
a Windows WORM turns around and attacks known issues with UNIX and
Oracle systems and then threatens to nuke the corporate database will
be the apocalypse.

>The real world differs substantially from your model of it.

You're living in a dream world if you believe Microsoft is the only
one with most of the security problems. Try getting out of the news
groups one of these days and scan a large corporate network with a
vulnerability scanner sometimes. Your blind hatred for Microsoft has
rid you of all common sense.

George Ou
http://www.LANArchitect.net

-- 
----------------------------------------------------------------
Paul Schlyter,  Grev Turegatan 40,  SE-114 38 Stockholm,  SWEDEN
e-mail:  pausch at stockholm dot bostream dot se
WWW:     http://www.stjarnhimlen.se/
         http://home.tiscali.se/pausch/


Relevant Pages

  • Re: controversial paper
    ... >> meant ALL critical vulnerabilities are NOW patched. ... >of and has developed patches for. ... WORMS rely on publicly known issues. ... >several weeks after the patch became available from Microsoft. ...
    (sci.crypt)
  • Exploits Circulating for Unpatched Windows PCs
    ... Although Microsoft released a string of patches to fix security flaws in ... malicious software that targets security flaws for which patches have just ... fixes to address 21 security vulnerabilities, ...
    (comp.dcom.telecom)
  • Re: Spam Email with Executable Microsoft Update
    ... Hi - this is a virus - not from Microsoft; they don't send out patches via ... > all known security vulnerabilities affecting Internet ... > It comes with a attached executable file. ...
    (microsoft.public.security)
  • [Full-Disclosure] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Soluti
    ... And again each and every one of the method caching vulnerabilities liu and ... individuals, there I many many reasons why I dislike pivx, but I don't think ... registry patches nothing more, nothing less.. ... But ask yourself how seriously can you take a company that names 5 registry ...
    (Full-Disclosure)
  • RE: Patching
    ... There seems to be at least 5 or 6 new vulnerabilities released on ... As information security people, ... at those patches you need for what you do have running. ... network analyzers. ...
    (Security-Basics)