RE: CyberInsecurity: The cost of Monopoly

["Rick Kingslan" <rkingsla () cox net>]

Gregory,

Given some hours to think about this topic, my post, and your thoughtful
reply - I concur that you nailed it on the head and I read way too much into
Fabio's post.  And, because of the long-running thread, much of the initial
assertion and report (true - it IS good work) was lost in the various
poster's replies.

So, to that - I take complete blame for not following back far enough to
understand the total context of the message.

But, I will stand by my statement that the juicy target is still Windows and
IIS.  In another post - I stand corrected in the fact that Apache is,
percentage-wise, a juicy target.  Touché.  However, why write for Apache
when IIS is so much easier still?  IIS 6.0 makes strides.... But, the
community as a whole will not truly be safer until the entire package is
treated with the same 'crap - let's just re-write it' attitude.  (This,
naturally assumes that MS and it's products are in existence - if the
counter takes place, it's not much of an issue...)

Thanks for the reality check, Gregory.

-rtk

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Gregory A.
Gilliss
Sent: Saturday, September 27, 2003 1:09 AM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] CyberInsecurity: The cost of Monopoly

I suspect we are starting a game of telephone ...

It appears to me (and I'm going to be nice and *not* include the entire
thread in the message ;-) that this started out with the citation of the
CCIA paper regarding Dan Geer getting shown the door.
The response (which was posted by Jon on behalf of Fabio) ends with the
statement "These guys have done a GREAT WORK!" which appears to refer to the
paper (Geer et al). Unfortunately that post was preceded by some rant and
ramble that did not clearly support the final thought (namely "huzzah for
Geer et al"). 

Taken individually, Fabio's points include:

- Removing Microsoft's monopoly somehow also will remove AV companies
- Microsoft doesn't give a rat's a** about security
- Vulnerabilities can only be fixed before they become a business
- Open source software has not been targeted by viruses
- Open source rulez
- Geer et al wrote a great report

FWIW, my replies to the assertions (as I have enumerated them above):

- false assertion
- true assertion
- ?
- true (exploits, OTOH...)
- agree
- strongly agree

With apologies to Fabio, I suspect that this may be an example of a
non-native English speaker's post being misinterpreted. I truly doubt that
the intent was to incite a discussion of Microsoft and/or virus writing.
That was actually (and if Fabio reads this and disagrees I hope that he will
correct me) just fodder for the final show of support for the report by Geer
et al.

For the record, I am withholding comment on Geer's separation and @Stake's
position until and unless more facts come to light. I suspect several of the
@Stake guys can read this and that they are free to participate in the
discussion (...or maybe not). I stand by my prior post - the report stands
on its own merits.

G

On or about 2003.09.26 23:07:14 +0000, Rick Kingslan (rkingsla () cox net)
said:

<SNIP>
Find it yourself - clipped for brevity
</SNIP>

-- 
Gregory A. Gilliss, CISSP                             Telephone: 1 650 872
2420
Computer Engineering                                   E-mail:
greg () gilliss com
Computer Security                                                ICQ:
123710561
Software Development                          WWW:
http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C
A3

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html