[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Microsoft laxed security is threat to internet
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] Microsoft laxed security is threat to internet
- From: Roman Drahtmueller <draht@xxxxxxx>
- Date: Sat, 10 Jul 2004 04:19:47 +0200 (MEST)
[...]
> How much of a percentage of discussion and disclosure on this list is
> actually counter acting script kiddie hood and how much is actually
> aiding them to carry out further malicious activities across the
> internet on a global scale?
[...]
nearly 100%, because if it is not this forum, it will be another. Are you
naive enough to believe that there is a benefit in NOT disclosing
vulnerabilities? Or that vulnerabilities cannot be investigated if the
source code of the software is not available? If there is not a clear
"Yes, it's better if vulnerabilities and source code are not publically
available!", then you argue for transparency and openness.
I'd rather trust a greyhat who openly discusses his findings than a vendor
who doesn't, because my faith in him is rationally traceable.
> Yes, you can use this list to make vendors aware of a security
> situation. Although how many users are updating straight away and how
> many users are unaware of a flaw.
>
> I think security lists are geared up more at the vendor patching X,
> than making the consumer aware of a security flaw and asking them to
> update.
My mom (to use an example) doesn't know what you're talking about. But she
knows about a vendor's responsibility - full-disclosure@ has contributed
to security matters being hyped in the media, forcing vendors to take
action. Before bugtraq, vendors didn't even have enough reason to care for
their bugs. So don't complain about security mailing lists such as
full-disclosure@ not meeting YOUR requirement of making the consumer aware
of flaws - the absence of the list and its contributions wouldn't leave
the customer any choice in the first place.
[...]
[F**k not quoted]
> They (Microsoft) need to start using "Auto Updating" home and small
> business network's, and it doesn't matter about the critics who say
> it's a breach of privacy and you have no right modifying a users
> computer. At the end of the day, we are talking about the spawning of
> very large bot net's owned by script kiddies, who can easily take down
> internet back bones and take out key infrastructure, which the very
> existence of the internet depends on.
(*)
> FD or BUGTRAQ can't save us now. Only Microsoft can. Implement Auto
> updating software for security patches without delay.
>
> I don't have much faith in Service Pack 2 (The overhaul of Mircosoft code).
>
> All of these Microsoft exploits will be the death of the internet one
> day, when script kiddies decide to execute the mother of all denial of
> service attacks against the internet. Trust me, bot net's big enough
> are paused and waiting for such a day.
The cause of death of the internet will not be a technical one (like a
global communication blackout), but a sociological one: countless useless
attempts to solve human problems with technical means, the loss of trust
in software vendors and other corporations due to the loss of privacy and
respect.
(*): Looks like you have chosen already.
Roman.
--
- -
| Roman Drahtmüller <draht@xxxxxxx> // "You don't need eyes to see, |
SUSE Linux AG - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html