RE: Who's to blame for malicious code?

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: Ron DuFresne [mailto:dufresne () winternet com] 
> Sent: Wednesday, January 21, 2004 9:30 AM
> To: Schmehl, Paul L
> Cc: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Who's to blame for malicious code?
>
> Wasn't it  you that  made the argument during the msblaster 
> episode that patching was a dead horse, that most env's of  
> significatnly sized userbase were understaffed for the 
> NUMEROUS patches that faced windows admins at the time and  
> cuurrently?

Yes, I believe it was me, although you could easily verify that with the
archives.

>  <perhaps I'm thinking it was you and in fact it 
> was someone else>  Either the arguement was false then and 
> windows admins were and remain just plain lazy, or the 
> argument was/is true and there's a problem within the core  
> OS offered up from redmond...
This is where we disagree.  You contend that admins are lazy.  I contend
that that is not the case at all, and I take issue with that
characterization because it misrepresents the problem.  The problem is
deploying patches to an enterprise in a timely manner.  Just because
admins don't get patches deployed in time does not mean they are lazy or
don't care.  They may have problems you can't even imagine in trying to
get the patches deployed.  But the fact remains, *if* the patches get
deployed, the problem is solved and the malicious code has no impact.

I don't see how these two points are at odds with each other or that one
"disproves" the other.

My point is not that Microsoft is blameless.  They obviously are not.
My point is that even though Microsoft could certainly be doing a much
better job, the problem *still* won't be solved if users don't patch.
That is true of *any* OS.  Tobias wants to lay *all* the blame at
Microsoft's feet, and I disagree.  Would you place all the blame on the
openssl developers if someone gets hacked through an openssl vuln six
months after the patch is released?  (There are some here who do.)
Would you blame Linus for vulns in the Linux kernel that get hacked 3
months after a patch is available?

There's a real double standard going on here.  If an open source program
has a problem, everyone blames the users when they don't patch and
praises open source for being...well...open.  Yet in the *exact* same
scenario, they want to assign *all* the blame to Microsoft, and that
does a disservice to the Internet as a whole and compounds the problem,
because it communicates to users that, if you use Microsoft, you are not
to blame for the malicious code that your machine was compromised by.

Until we communicate a *consistent* message to users that *they* also
have some responsibility in the battle against malicious code, this
problem will never go away.

Perhaps that's what the anti-MS crowd really wants.  That way they can
continue to carp and complain about MS without *really* solving the
problem.

Hopefully that clarifies my position.
 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html