Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Microsoft laxed security is threat to internet
From: Roman Drahtmueller <draht () suse de>
Date: Sat, 10 Jul 2004 04:19:47 +0200 (MEST)

[...]
How much of a percentage of discussion and disclosure on this list is
actually counter acting script kiddie hood and how much is actually
aiding them to carry out further malicious activities across the
internet on a global scale?
[...]

nearly 100%, because if it is not this forum, it will be another. Are you
naive enough to believe that there is a benefit in NOT disclosing
vulnerabilities? Or that vulnerabilities cannot be investigated if the
source code of the software is not available? If there is not a clear 
"Yes, it's better if vulnerabilities and source code are not publically 
available!", then you argue for transparency and openness. 
I'd rather trust a greyhat who openly discusses his findings than a vendor 
who doesn't, because my faith in him is rationally traceable.

Yes, you can use this list to make vendors aware of a security
situation. Although how many users are updating straight away and how
many users are unaware of a flaw.

I think security lists are geared up more at the vendor patching X,
than making the consumer aware of a security flaw and asking them to
update.

My mom (to use an example) doesn't know what you're talking about. But she 
knows about a vendor's responsibility - full-disclosure@ has contributed 
to security matters being hyped in the media, forcing vendors to take 
action. Before bugtraq, vendors didn't even have enough reason to care for 
their bugs. So don't complain about security mailing lists such as 
full-disclosure@ not meeting YOUR requirement of making the consumer aware 
of flaws - the absence of the list and its contributions wouldn't leave 
the customer any choice in the first place.

[...]

[F**k not quoted]
They (Microsoft) need to start using "Auto Updating" home and small
business network's, and it doesn't matter about the critics who say
it's a breach of privacy and you have no right modifying a users
computer. At the end of the day, we are talking about the spawning of
very large bot net's owned by script kiddies, who can easily take down
internet back bones and take out key infrastructure, which the very
existence of the internet depends on.

(*)

FD or BUGTRAQ can't save us now. Only Microsoft can. Implement Auto
updating software for security patches without delay.

I don't have much faith in Service Pack 2 (The overhaul of Mircosoft code).

All of these Microsoft exploits will be the death of the internet one
day, when script kiddies decide to execute the mother of all denial of
service attacks against the internet. Trust me, bot net's big enough
are paused and waiting for such a day.

The cause of death of the internet will not be a technical one (like a
global communication blackout), but a sociological one: countless useless
attempts to solve human problems with technical means, the loss of trust
in software vendors and other corporations due to the loss of privacy and 
respect.

(*): Looks like you have chosen already.

Roman.
-- 
 -                                                                      -
| Roman Drahtm├╝ller      <draht () suse de> // "You don't need eyes to see, |
  SUSE Linux AG - Security       Phone: //             you need vision!"
| N├╝rnberg, Germany     +49-911-740530 //           Maxi Jazz, Faithless |
 -                                                                      -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault