Full Disclosure mailing list archives
RE: Who's to blame for malicious code?
From: Ron DuFresne <dufresne () winternet com>
Date: Wed, 21 Jan 2004 22:59:03 -0600 (CST)
[headers snipped]
Yes, I believe it was me, although you could easily verify that with the archives.<perhaps I'm thinking it was you and in fact it was someone else> Either the arguement was false then and windows admins were and remain just plain lazy, or the argument was/is true and there's a problem within the core OS offered up from redmond...This is where we disagree. You contend that admins are lazy. I contend that that is not the case at all, and I take issue with that characterization because it misrepresents the problem. The problem is deploying patches to an enterprise in a timely manner. Just because admins don't get patches deployed in time does not mean they are lazy or don't care. They may have problems you can't even imagine in trying to get the patches deployed. But the fact remains, *if* the patches get deployed, the problem is solved and the malicious code has no impact. I don't see how these two points are at odds with each other or that one "disproves" the other.
Which further proves the point that keeping up to date on patches is not the answer. Not for the home user whom most often lacks the knowledge of the threats they really face within the env that is the Internet, nor for the corporate enterprise, where dependancies and uptimes and SLA' and such as well as change managment processes do not conform well to quarterly patching let alone weekly or worse, trying to keep up on whether or not this patch undoes what last weeks patches did.
My point is not that Microsoft is blameless. They obviously are not. My point is that even though Microsoft could certainly be doing a much better job, the problem *still* won't be solved if users don't patch. That is true of *any* OS. Tobias wants to lay *all* the blame at Microsoft's feet, and I disagree. Would you place all the blame on the openssl developers if someone gets hacked through an openssl vuln six months after the patch is released? (There are some here who do.) Would you blame Linus for vulns in the Linux kernel that get hacked 3 months after a patch is available?
If Linus acquired all the rights to all that SCO code that apparantly is linux, and it all suffered one open wound compounding another with bi-weekly and weekly patches reversing each time you installed a new printer or card into the box, I think he'd likely be getting hammered in a list like this pretty hard.
There's a real double standard going on here. If an open source program has a problem, everyone blames the users when they don't patch and praises open source for being...well...open. Yet in the *exact* same scenario, they want to assign *all* the blame to Microsoft, and that does a disservice to the Internet as a whole and compounds the problem, because it communicates to users that, if you use Microsoft, you are not to blame for the malicious code that your machine was compromised by.
Remnants of the morris worm are not still pounding at my gateway devices and triggering countless IDS systems across the net, let alone reinfecting new systems faster then one can patch them, while nimda, code-red, and slammer still are, and likely to for years to come. the anti-m$ outcry is not something totally new, ask Russ Cooper about his days on the old pretty well defunct firewalls list, prior to his putting up ntbugtraq, he was almost a lone wolf in redmonds defense back then. No, the outcry is not new, but the veracity and spread, and into the voices of those that have to administer those various windows corporate systems are joining in is what's different in the latest round. It's not just the "anti-M$" crowd, it's redmond's own customer base starting to wind up. that has to be a a wakeup call for dramtic action from this major vendor, who might have joined in on personal firewall day if only to adviise and remind home users about patching and about enabling their ICF subsystems, and closing all those unsafe defaults installed open...they have the cash for such an endeavour.
Until we communicate a *consistent* message to users that *they* also have some responsibility in the battle against malicious code, this problem will never go away. Perhaps that's what the anti-MS crowd really wants. That way they can continue to carp and complain about MS without *really* solving the problem. Hopefully that clarifies my position.
muchly, sorry to push you to the point of clarity. but, let me pose a question; if the *bsd maintainers, or those charged with the linux kernel and the various linux apps, or say OS X folks wrote code that was repeatedly, time and again worked over by some of the simple issues that again and again affect each version of windows OS', would they remain as popular as they have with those disillusioned by that which spews out of redmond? Perhaps not, afterall there is a key difference in the marketing and cost associated with the products... Or, another question; I was being courted a few years ago to join a team to move the hotmail and msn systems off sun boxen to their own OS, has that task yet been completed and if not why, or better yet, why were they not installed first show on a windows OS? Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Who's to blame for malicious code?, (continued)
- Re: Who's to blame for malicious code? Tobias Weisserth (Jan 20)
- Re: Who's to blame for malicious code? Paul Schmehl (Jan 20)
- RE: Who's to blame for malicious code? Steve Wray (Jan 21)
- Re: Who's to blame for malicious code? Ron DuFresne (Jan 21)
- Re: Who's to blame for malicious code? Tobias Weisserth (Jan 21)
- Re: Who's to blame for malicious code? Paul Schmehl (Jan 20)
- Who's to blame for malicious code? Schmehl, Paul L (Jan 20)
- RE: Who's to blame for malicious code? Brent Colflesh (Jan 20)
- RE: Who's to blame for malicious code? Schmehl, Paul L (Jan 21)
- RE: Who's to blame for malicious code? Tobias Weisserth (Jan 21)
- Re: Who's to blame for malicious code? Vlad Galu (Jan 21)
- RE: Who's to blame for malicious code? Ron DuFresne (Jan 21)
- RE: Who's to blame for malicious code? Schmehl, Paul L (Jan 21)
- RE: Who's to blame for malicious code? Tobias Weisserth (Jan 21)
- Re: Who's to blame for malicious code? Tobias Weisserth (Jan 20)