mailing list archives
Re: Microsoft laxed security is threat to internet
From: Roman Drahtmueller <draht () suse de>
Date: Sat, 10 Jul 2004 04:19:47 +0200 (MEST)
How much of a percentage of discussion and disclosure on this list is
actually counter acting script kiddie hood and how much is actually
aiding them to carry out further malicious activities across the
internet on a global scale?
nearly 100%, because if it is not this forum, it will be another. Are you
naive enough to believe that there is a benefit in NOT disclosing
vulnerabilities? Or that vulnerabilities cannot be investigated if the
source code of the software is not available? If there is not a clear
"Yes, it's better if vulnerabilities and source code are not publically
available!", then you argue for transparency and openness.
I'd rather trust a greyhat who openly discusses his findings than a vendor
who doesn't, because my faith in him is rationally traceable.
Yes, you can use this list to make vendors aware of a security
situation. Although how many users are updating straight away and how
many users are unaware of a flaw.
I think security lists are geared up more at the vendor patching X,
than making the consumer aware of a security flaw and asking them to
My mom (to use an example) doesn't know what you're talking about. But she
knows about a vendor's responsibility - full-disclosure@ has contributed
to security matters being hyped in the media, forcing vendors to take
action. Before bugtraq, vendors didn't even have enough reason to care for
their bugs. So don't complain about security mailing lists such as
full-disclosure@ not meeting YOUR requirement of making the consumer aware
of flaws - the absence of the list and its contributions wouldn't leave
the customer any choice in the first place.
[F**k not quoted]
They (Microsoft) need to start using "Auto Updating" home and small
business network's, and it doesn't matter about the critics who say
it's a breach of privacy and you have no right modifying a users
computer. At the end of the day, we are talking about the spawning of
very large bot net's owned by script kiddies, who can easily take down
internet back bones and take out key infrastructure, which the very
existence of the internet depends on.
FD or BUGTRAQ can't save us now. Only Microsoft can. Implement Auto
updating software for security patches without delay.
I don't have much faith in Service Pack 2 (The overhaul of Mircosoft code).
All of these Microsoft exploits will be the death of the internet one
day, when script kiddies decide to execute the mother of all denial of
service attacks against the internet. Trust me, bot net's big enough
are paused and waiting for such a day.
The cause of death of the internet will not be a technical one (like a
global communication blackout), but a sociological one: countless useless
attempts to solve human problems with technical means, the loss of trust
in software vendors and other corporations due to the loss of privacy and
(*): Looks like you have chosen already.
| Roman Drahtmüller <draht () suse de> // "You don't need eyes to see, |
SUSE Linux AG - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
Full-Disclosure - We believe in it.