Full Disclosure mailing list archives
RE: Who's to blame for malicious code?
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 21 Jan 2004 17:44:32 -0600
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Tobias Weisserth Sent: Wednesday, January 21, 2004 12:54 PM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Who's to blame for malicious code? And yes, we know by now. Then why is it so hard to demand "secure by default" from MS for millions of consumer end users?!
It's not, and I'm not. I'm simply saying MS isn't going to solve the problem *completely* by shipping a "secure" OS.
No. By the time Blaster and its variants were on the way there didn't exist a patch.
That isn't true. The patch for Blaster came out 26 days prior to the release of Blaster. I can document that with the email warnings that I sent to the campus and the email I sent when the worm hit.
Besides, you didn't even have to _do_ something to catch it.
Ah, but you did. You had to ignore the patch that was released, either intentionally or unintentionally. :-)
I had a case where I couldn't even reach the MS update site before I already had it again by sheer presence on the Internet. Patch maintenance is good but it doesn't replace "secure by default" settings.
Neither does "secure by default" eliminate patching. These aren't mutually exclusive concepts. I understand what you're saying, and I agree that MS needs to do a better job. But so do users.
We have thousands of Windows machines running RPC, and none of them are infected because they've all been patched.Well, then explain to me why Blaster was such a big hit on the net then?
Because people didn't patch. It's really that simple. It's been what? Two or three years since Nimda and Code Red came out? Why do we still have infected boxes on the Internet? Is *that* Microsoft's fault *only*? Do those users not share at least *some* of the blame?
There is no stupid behaviour. When a user blindly runs an email attachment or forgets to patch his machine then this is not the users fault.
????? If I get in an M3 and drive 180 kph and enter a turn that has a sign that says "Actung! 65 kph!", is it BMW's fault when I crash? Seriously, Tobias. There has to be a point *somewhere* where the manufacturers' responsibility ends and the users' begins!
The fact that such an uneducated user can actually use the product this way is to blame on the vendor. Products have to be fool-prove. It isn't the end consumers who have to be fool-prove.
Then we'd better eliminate a lot of things - cars, electricity, running water, etc., etc., because *none* of these are foolproof. It's possible to electrocute yourself simply by putting your finger in a socket, drown yourself in the bathtub, kill yourself in a car by crashing. Are all these negative outcomes the manufacturers' fault?
OpenBSD isn't aimed at the consumer, it is aimed at the system administrator. The point why I brought up OpenBSD is that even if the Apache ports package shipped with OpenBSD causes the risk of system compromise due to a bug then this isn't tragic because only those users actually running Apache have to care. Other users don't bother since OpenBSD comes with minimum enabled services. That's what makes it different from MS. You fail to recognise that.
No, I *do* recognize that. I'm just not willing to absolve the users entirely of all blame.
But sometimes weeks after first exploits have shown up. There are still numerous unfixed flaws in IE6 and beneath that can be exploited.
This is true, and you *can* blame Microsoft for that.
No. Users are never wrong. Get that into your heads techies. THEY are the customers, WE have to supply products THEY can use WITHOUT making these mistakes. If THEY fail to use OUR product the way WE intended to then it is OUR fault not THEIRS. It's as simple as that.
It's an impossible goal. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Who's to blame for malicious code?, (continued)
- Re: Who's to blame for malicious code? Paul Schmehl (Jan 20)
- RE: Who's to blame for malicious code? Steve Wray (Jan 21)
- Re: Who's to blame for malicious code? Ron DuFresne (Jan 21)
- Re: Who's to blame for malicious code? Tobias Weisserth (Jan 21)
- Re: Who's to blame for malicious code? Paul Schmehl (Jan 20)
- Who's to blame for malicious code? Schmehl, Paul L (Jan 20)
- RE: Who's to blame for malicious code? Brent Colflesh (Jan 20)
- RE: Who's to blame for malicious code? Schmehl, Paul L (Jan 21)
- RE: Who's to blame for malicious code? Tobias Weisserth (Jan 21)
- Re: Who's to blame for malicious code? Vlad Galu (Jan 21)
- RE: Who's to blame for malicious code? Ron DuFresne (Jan 21)
- RE: Who's to blame for malicious code? Schmehl, Paul L (Jan 21)
- RE: Who's to blame for malicious code? Tobias Weisserth (Jan 21)