Full Disclosure mailing list archives
Second RE: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
From: "Drew Copley" <dcopley () eEye com>
Date: Thu, 1 Jul 2004 11:51:45 -0700
These things said, you did start the whole IE security thing, really, though I think l0pht found some nice ones. In a lot of ways you originated the whole field of looking for configuration type errors. And, I do not know you, that is correct. So, I can not speak for you. But you did use Windows. I do read your emails. But, I would say, you are extremely talented. I would say the bugs you found, others did not find. The bugs you found, while not overly technical in the sense of requiring deep knowledge of ASM were, regardless, extremely difficult to find. Even if some came easily, surely it took a lot of work in the first place in order to understand how the developers thought and find bugs in their software. If you are going to say you did not spend a lot of time finding these bugs, that they were extremely easy to find and required no talent whatsoever... then say that. I do not believe that, and likely, would not believe it even if you believed it yourself. And even that would not change the point that you used Windows and IE. There is a lot of software out there you never used at all. Therefore, you never would have tested it. I am not some new convert to Windows, I am not even a convert. In a great many ways, I prefer Linux. But, none of that is the point. The point is just that if people change, they should change because, say, Microsoft has a really bad history of fixing issues... not because actual bugs were found. Not out of fear. Not when the bugs found are extremely difficult to find. Not when they are being found by the same people. Some people have the idea that there are a lot of Guninski's out there. For instance. I would say this is not true. There is too much reason to use full disclosure. The bugs are too difficult to find. And, egos aside, bugfinders tend to know and hang around other bugfinders. A huge motivator for using security bugs to hack systems is ego, or fame, or whatever. This is entirely mitigated by the full disclosure process. Another huge motivator is money -- for some people. But these types of people are smart enough to avoid all of the hassle of finding security issues and can make money in just about any way they want to. Quite often. This leaves political or religious motives, really. And, generally, if people are wrapped up in some kind of serious fanaticism... the last thing they have time or desire to do is to enter into bugfinding. This is not to say that the scene will not be changing, I am sure it will be. It already has been changing, slowly.
-----Original Message----- From: Drew Copley Sent: Thursday, July 01, 2004 10:33 AM To: 'Georgi Guninski' Cc: full-disclosure () lists netsys com Subject: RE: [Full-disclosure] (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs-----Original Message----- From: Georgi Guninski [mailto:guninski () guninski com] Sent: Thursday, July 01, 2004 12:41 AM To: Drew Copley Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs your long post seems like an advanced FUD to me.No, it comes from working in the software field... in development and QA... "Fear, uncertainity, and doubt"? I said nothing scary... should not be scary to anyone... I surely said nothing which would make anyone "doubt", and I surely said nothing to make someone unsure -- so please do not falsely accuse me because you *think* I said something. If you have a problem with something I say, please point it out. Otherwise, please do not slander me because you think you have a problem with something I have said. It seems you missed what I was saying and just skipped over everything. I will be blunt and say, you must think I said something positive about Microsoft and not positive about open source. So, you are attacking me. However, I did not. So, please do not force me to waste my time to defend something I did not even say, that is really annoying.according to your reasoning there should be a lot of worms and exploits for apache because of its market share. fact is ii$ is plagued by worms and exploits though it has a small market share.That is not my reasoning. That is not what I said. Yes, Apache is an example of a really good software product. It has been really well tested. The last notable IIS bug, the chunked encoding bug from last year... was later cut and paste to test with Apache. It worked on Apache. Then, we tested it on Netscape Enterprise. It worked there. We might assume, therefore, since the same complicated bug was on each system and one of these systems was open source that... the bug came from Apache. But, so did the feature. This bug was last Spring, though, late Spring. Yes, it was found by us, as most IIS bugs have been. Not that I like IIS... These things said, it might be noted, the default landscape of both Apache and now, Windows 2003 IIS, are both extremely sparse. They do not have webdav or anything like this. But, I am not sure why you are trying to put words in my mouth... You test Linux. You use Linux. You used to test Windows. You used to use Windows. I am sure you, no doubt, have serious hatred of Microsoft. That is extremely obvious. But, you have been attacked viciously by them in the press over and over again. No offense... just telling the truth as I see it...On Wed, Jun 30, 2004 at 01:55:17PM -0700, Drew Copley wrote:There has been a great deal of talk about people switching to Mozilla because of this recent Internet Explorer issue.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Second RE: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Drew Copley (Jul 01)