Full Disclosure mailing list archives
RE: Who's to blame for malicious code?
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 21 Jan 2004 12:23:33 -0600
-----Original Message----- From: Ron DuFresne [mailto:dufresne () winternet com] Sent: Wednesday, January 21, 2004 9:30 AM To: Schmehl, Paul L Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Who's to blame for malicious code? Wasn't it you that made the argument during the msblaster episode that patching was a dead horse, that most env's of significatnly sized userbase were understaffed for the NUMEROUS patches that faced windows admins at the time and cuurrently?
Yes, I believe it was me, although you could easily verify that with the archives.
<perhaps I'm thinking it was you and in fact it was someone else> Either the arguement was false then and windows admins were and remain just plain lazy, or the argument was/is true and there's a problem within the core OS offered up from redmond...
This is where we disagree. You contend that admins are lazy. I contend that that is not the case at all, and I take issue with that characterization because it misrepresents the problem. The problem is deploying patches to an enterprise in a timely manner. Just because admins don't get patches deployed in time does not mean they are lazy or don't care. They may have problems you can't even imagine in trying to get the patches deployed. But the fact remains, *if* the patches get deployed, the problem is solved and the malicious code has no impact. I don't see how these two points are at odds with each other or that one "disproves" the other. My point is not that Microsoft is blameless. They obviously are not. My point is that even though Microsoft could certainly be doing a much better job, the problem *still* won't be solved if users don't patch. That is true of *any* OS. Tobias wants to lay *all* the blame at Microsoft's feet, and I disagree. Would you place all the blame on the openssl developers if someone gets hacked through an openssl vuln six months after the patch is released? (There are some here who do.) Would you blame Linus for vulns in the Linux kernel that get hacked 3 months after a patch is available? There's a real double standard going on here. If an open source program has a problem, everyone blames the users when they don't patch and praises open source for being...well...open. Yet in the *exact* same scenario, they want to assign *all* the blame to Microsoft, and that does a disservice to the Internet as a whole and compounds the problem, because it communicates to users that, if you use Microsoft, you are not to blame for the malicious code that your machine was compromised by. Until we communicate a *consistent* message to users that *they* also have some responsibility in the battle against malicious code, this problem will never go away. Perhaps that's what the anti-MS crowd really wants. That way they can continue to carp and complain about MS without *really* solving the problem. Hopefully that clarifies my position. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Who's to blame for malicious code? Schmehl, Paul L (Jan 20)
- Re: Who's to blame for malicious code? Tobias Weisserth (Jan 20)
- Re: Who's to blame for malicious code? Paul Schmehl (Jan 20)
- RE: Who's to blame for malicious code? Steve Wray (Jan 21)
- Re: Who's to blame for malicious code? Ron DuFresne (Jan 21)
- Re: Who's to blame for malicious code? Tobias Weisserth (Jan 21)
- Re: Who's to blame for malicious code? Paul Schmehl (Jan 20)
- <Possible follow-ups>
- Who's to blame for malicious code? Schmehl, Paul L (Jan 20)
- RE: Who's to blame for malicious code? Brent Colflesh (Jan 20)
- RE: Who's to blame for malicious code? Schmehl, Paul L (Jan 21)
- RE: Who's to blame for malicious code? Tobias Weisserth (Jan 21)
- Re: Who's to blame for malicious code? Vlad Galu (Jan 21)
- RE: Who's to blame for malicious code? Ron DuFresne (Jan 21)
- RE: Who's to blame for malicious code? Schmehl, Paul L (Jan 21)
- RE: Who's to blame for malicious code? Tobias Weisserth (Jan 21)
- Re: Who's to blame for malicious code? Tobias Weisserth (Jan 20)