RE: Who's to blame for malicious code?

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
> Tobias Weisserth
> Sent: Wednesday, January 21, 2004 12:54 PM
> To: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Who's to blame for malicious code?
>
> And yes, we know by now. Then why is it so hard to demand 
> "secure by default" from MS for millions of consumer end users?!
It's not, and I'm not.  I'm simply saying MS isn't going to solve the
problem *completely* by shipping a "secure" OS.
> No. By the time Blaster and its variants were on the way 
> there didn't exist a patch.

That isn't true.  The patch for Blaster came out 26 days prior to the
release of Blaster.  I can document that with the email warnings that I
sent to the campus and the email I sent when the worm hit.

> Besides, you didn't even have to 
> _do_ something to catch it.

Ah, but you did.  You had to ignore the patch that was released, either
intentionally or unintentionally.  :-)

> I had a case where I couldn't 
> even reach the MS update site before I already had it again 
> by sheer presence on the Internet.
>
> Patch maintenance is good but it doesn't replace "secure by default"
> settings.
Neither does "secure by default" eliminate patching.  These aren't
mutually exclusive concepts.  I understand what you're saying, and I
agree that MS needs to do a better job.  But so do users.
> > We have thousands of Windows machines running RPC, and none of them 
> > are infected because they've all been patched.
>
> Well, then explain to me why Blaster was such a big hit on 
> the net then?

Because people didn't patch.  It's really that simple.  It's been what?
Two or three years since Nimda and Code Red came out?  Why do we still
have infected boxes on the Internet?  Is *that* Microsoft's fault
*only*?  Do those users not share at least *some* of the blame?
> There is no stupid behaviour. When a user blindly runs an 
> email attachment or forgets to patch his machine then this is 
> not the users fault.

?????  If I get in an M3 and drive 180 kph and enter a turn that has a
sign that says "Actung!  65 kph!", is it BMW's fault when I crash?
Seriously, Tobias.  There has to be a point *somewhere* where the
manufacturers' responsibility ends and the users' begins!

> The fact that such an uneducated user 
> can actually use the product this way is to blame on the 
> vendor. Products have to be fool-prove. It isn't the end 
> consumers who have to be fool-prove.
Then we'd better eliminate a lot of things - cars, electricity, running
water, etc., etc., because *none* of these are foolproof.  It's possible
to electrocute yourself simply by putting your finger in a socket, drown
yourself in the bathtub, kill yourself in a car by crashing.  Are all
these negative outcomes the manufacturers' fault?
> OpenBSD isn't aimed at the consumer, it is aimed at the 
> system administrator. The point why I brought up OpenBSD is 
> that even if the Apache ports package shipped with OpenBSD 
> causes the risk of system compromise due to a bug then this 
> isn't tragic because only those users actually running Apache 
> have to care. Other users don't bother since OpenBSD comes 
> with minimum enabled services. That's what makes it different 
> from MS. You fail to recognise that.
No, I *do* recognize that.  I'm just not willing to absolve the users
entirely of all blame.
> But sometimes weeks after first exploits have shown up. There 
> are still numerous unfixed flaws in IE6 and beneath that can 
> be exploited.
This is true, and you *can* blame Microsoft for that.
> No. Users are never wrong. Get that into your heads techies. 
> THEY are the customers, WE have to supply products THEY can 
> use WITHOUT making these mistakes. If THEY fail to use OUR 
> product the way WE intended to then it is OUR fault not 
> THEIRS. It's as simple as that.
It's an impossible goal.
 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html