Re: Web sites compromised by IIS attack

[Denis Dimick <denis () dimick net>]

Paul,

If I'm understanding you correctly you don't understand Linux/Redhat. Or 
your just being silly to make a point. sendmail, wftp , php, etc.. are not 
owned by Redhat. Each of these applications are owned buy someone else and 
Redhat is allowed to re-distribute them. 

And using the number of fixes/patches to an application as an indication 
of how god it is, is a bad thing. Using this logic you would have to say 
M$ is a good product.

Denis



On Wed, 30 Jun 2004, Paul Schmehl wrote:

> --On Wednesday, June 30, 2004 6:27 PM -0500 Frank Knobbe <frank () knobbe us> 
> wrote:
> > Instead of requiring the consumer to install patches, Microsoft should
> > be required to fix their own, broken products. That means that they
> > should send their army of engineers (a lot of which are now carrying the
> > CISSP certification) to the consumers and have their engineers correct
> > the flaws in their products. They sold flawed products, they should fix
> > it.
> I'm right there with you, Frank, on one condition.  You hold *every* 
> software vendor to the same standard.  IOW, "Apache should be required to 
> fix their own, broken products"..."RedHat Linux should be 
> required"......"Oracle should be 
> required"....."sendmail"....."wuftpd"....."php"..."mysql"...etc., etc., 
> etc., ad infinitum, ad nauseum.
>
> Be careful what you wish for.  You may actually get it.
>
> I just upgraded my workstation from RedHat 9.0 to Fedora Core 1.  I then 
> ran up2date and found that there were 142 software packages that needed to 
> be updated.  Just before I did that, I run portupgrade on one of my FreeBSD 
> boxes.  It had 17 programs that had to be updated.
>
> If we're going to require that software vendors produce flawless products, 
> we're not going to have many software products.  Even Postfix, which *to my 
> knowledge* has never had a security issue, has had numerous bug fixes. 
> (And I think so highly of Postfix that the first thing I do when I install 
> a new OS is replace sendmail with Postfix.)
>
> I attended a presentation yesterday for a security product in the 
> application firewall field.  During the presentation, the CISSP stated that 
> "in every 1000 lines of code there will be 15 errors".  I don't know if I'd 
> agree with that - I suspect most coders are a bit better than that - but I 
> had to chuckle, because, of course, I immediately thought, "So you admit 
> that your code is riddled with holes!"
>
> We need better methodologies for finding bugs in software.  We need better 
> training of programmers.  We need established standards for coding that 
> would define things like bounds checking.  We need a *lot* of improvements 
> in software development, and those improvements need to be *industry-wide*, 
> not just Microsoft.
>
> Every time I read about a security vendor with a remote hole in their 
> products, I think, "How in the world can they identify attacks, if they 
> can't even see them in their own code?"
>
> Clearly the problem is a *lot* bigger than Microsoft alone.
>
> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html