Re: Support the Sasser-author fund started

[Konstantin Gavrilenko <mlists () arhont com>]

Tobias, following your logic, the people who found and disclosed the 
vulnerability that Sasser was abusing should be prosecuted together with 
the author of the viral code.

What is the next stage? Jalining people who write "proof of concept" 
exploit code? Punish Fyodor for writing  nmap or maybe prosecute the 
nessus team?

If the guy wrote the code and intentionally released the worm and 
infected half of the Internet then he is guilty, but that remains to be 
proven. Nobody has cancelled the presumtion of innocence yet!

My personal opinion is that more blame should be put on M$. But where 
would the security industry be if not for Microsoft's products :)


--
Respectfully,
Konstantin V. Gavrilenko

Arhont Ltd - Information Security

web:    http://www.arhont.com
        http://www.wi-foo.com
e-mail: k.gavrilenko () arhont com

tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141

PGP: Key ID - 0x4F3608F7
PGP: Server - keyserver.pgp.com



Tobias Weisserth wrote:
> Hi harry,
>
> On Thu, 2004-05-13 at 14:33, harry wrote:
>
> > Tobias Weisserth wrote:
> > <snip>
> >
> > > I find your "explanation" why this author of a virus should be treated
> > > any different than other authors somehow illogical. The Sasser author
> > > has done nothing to foster security. So there is really no need for the
> > > security scene to support him.
> >
> > there is one other thing...
> >
> > he is correct when he says that Microsoft will say it's completely the 
> > worm writer's fault.
>
>
> It IS completely the author's fault. HE wrote it, HE caused the damages
> and HE violated German law. As much as MS products suck, MS has done
> nothing illegal.
>
>
> > BUT i think Microsoft should be punished too for 
> > having so many security holes. they had to patch it faster.
>
>
> A patch to this problem has been available for at least two weeks prior
> to the release of the worm. So what's your boundary when you speak of
> "earlier"? A month? A year? Should the exploitation of a bug be legal if
> the vendor doesn't offer a patch in time?! That's the direction you're
> pushing here.
>
>
> > who's fault is it really when you buy a door, you lock it, but a burglar 
> > finds a way to easily open it, comes in and tells you...
>
>
> Nobody asked the "burglar" to do this. He broke law. He caused damages.
> And he certainly didn't improve your security by doing so when the door
> vendor already offered a patch for your door two weeks ago.
>
> There's just no way you can justify the action of this idiot by blaming
> MS.
>
> I say this idiot has to be punished and punished to the full extend law
> allows. Maybe this deters other idiots to do the same.
>
> Tobias W.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html