RE: Bill Gates blames the victim

[Lim Swee Tat <st_lim () stlim net>]

On Thu, 2003-09-04 at 00:02, Robert Ahnemann wrote:
> > "Richard M. Smith" <rms () computerbytesman com> writes (quotes):
> > >    ;;    Q. "The buffer overrun flaw that made the Blaster worm 
> > >    ;;    possible was specifically targeted in your code reviews 
> > >    ;;    last year. Do you understand why the flaw that led to 
> > >    ;;    Blaster escaped your detection?"
> > >    ;; 
> > >    ;;    A. "Understand there have actually been fixes for all of 
> > >    ;;    these things before the attack took place. The challenge 
> > >    ;;    is that we've got to get the fixes to be automatically 
> > >    ;;    applied without our customers having to make a special
> effort."
> > > "Don't trust our software. But do trust our patching/update 
> > > process..."
> >
> > Don't trust software but trust our software patches...
> >
> > We can continue the sentence by adding that the special effort is 
> > needed because new bugs are generated by these patches.
>
> Let's relate this to real life (flame that line if you want).  Your car
> has a defect that causes the oil pan to leak.  Ford (I drive one, I can
> talk) issues a recall saying they know about the leak and are offering
> you a free fix, if you would just take the time to take the car to the
> shop.  You decide that you know better and that you would rather not
> invest the time.  You engine is lying on the ground three weeks later.
> Whose fault is it?  They told you it was a problem.  You neglected to
> address it.  I can tell you who will be paying for the engine.   Today's
> society is about dissolving accountability.  I'm all for changing this
> around.
I think you miss the point, and this is more the typical scenario than
anything else.  Microsoft issues patches that are highly unreliable,
even till today.

If we do a comparison to Ford, as per your scenario, Ford issues a
recall, but Ford also has a reputation for fixing something and breaking
something else, you'll let someone else take the fix, and wait in the
bylines to see if the fix broke something for him/her.

In fact, the unreliability of M$'s patches has become so widespread that
typical IT shops manage their software with at least a 3 month
testing/trial period even for software that is not demographically as
bad or even as unreliable as M$'s.

Again, the message is M$ should fix their software.  Trying to automate
the patch cycle without the permission of the user is and still does not
solve the initial problem.

Ciao
ST Lim
> (forgot to send to the list poo)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- [ Hobbes: What would you call the creation of the universe? ] [
Calvin: The Horrendous Space Kablooie! ] [ ]

Attachment: signature.asc
Description: This is a digitally signed message part