Re: Web sites compromised by IIS attack

[Denis Dimick <denis () dimick net>]

Please see below..

On Wed, 30 Jun 2004, Frank Knobbe wrote:

> On Wed, 2004-06-30 at 21:08, Paul Schmehl wrote:
> > I'm right there with you, Frank, on one condition.  You hold *every* 
> > software vendor to the same standard. 
> > [...]
> > If we're going to require that software vendors produce flawless products, 
> > we're not going to have many software products.  Even Postfix, which *to my 
> > knowledge* has never had a security issue, has had numerous bug fixes. 
> > (And I think so highly of Postfix that the first thing I do when I install 
> > a new OS is replace sendmail with Postfix.)
>
> Heya Paul,
>
> well, there is a difference between *free* stuff you choose to pull from
> the Internet and run yourself. Community driven projects should require
> that everyone running the product is doing there part to fix flaws (even
> if it just means reporting it to someone who can fix it).

They pretty much do. That is if the application is one that users have 
found worth supporting.

> The difference is with products you *pay for*. If you *buy* a product
> you trade your money (perhaps chicken in other parts of the world) in
> the amount considered to equal the worth of the product. You should
> expect to receive a working product in return.
>
> My beef is that we started to accept broken products, and we assumes the
> task of fixing broken products ourselves. That task should not fall on
> us but on the manufacturer.

So can I assume that you would allow a vendor to remotely patch your 
system? 

> > We need better methodologies for finding bugs in software. 
>
> Right. But we also need better methodologies for vendors to fix their
> products. The emphasis here is on "the vendor fixing the broken
> product". It should not be a burden on the consumer, but on the vendor.

Like I said, Do you REALLY want a vendor to install patches for you?

> And yes, I'm not targeting Microsoft in particular, although they are
> the most blatant abusers of consumer rights. I intentionally included
> all manufacturer of commercial software products.

I think Frank that your starting to point out a problem for M$ and other 
vendors. They don't have the money to support there products any longer. 
M$ has somewhere like 20,000 payed programers, How many programers are 
working on open source products? 100,000 plus, maybe more. How do you 
expect a company like M$ to compete? I don't think they can.

Denis

> Cheers,
> Frank

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html