Full Disclosure mailing list archives
RE: Bill Gates blames the victim
From: Lim Swee Tat <st_lim () stlim net>
Date: Thu, 04 Sep 2003 01:39:24 +0800
On Thu, 2003-09-04 at 00:02, Robert Ahnemann wrote:
"Richard M. Smith" <rms () computerbytesman com> writes (quotes):;; Q. "The buffer overrun flaw that made the Blaster worm ;; possible was specifically targeted in your code reviews ;; last year. Do you understand why the flaw that led to ;; Blaster escaped your detection?" ;; ;; A. "Understand there have actually been fixes for all of ;; these things before the attack took place. The challenge ;; is that we've got to get the fixes to be automatically ;; applied without our customers having to make a specialeffort.""Don't trust our software. But do trust our patching/update process..."Don't trust software but trust our software patches... We can continue the sentence by adding that the special effort is needed because new bugs are generated by these patches.Let's relate this to real life (flame that line if you want). Your car has a defect that causes the oil pan to leak. Ford (I drive one, I can talk) issues a recall saying they know about the leak and are offering you a free fix, if you would just take the time to take the car to the shop. You decide that you know better and that you would rather not invest the time. You engine is lying on the ground three weeks later. Whose fault is it? They told you it was a problem. You neglected to address it. I can tell you who will be paying for the engine. Today's society is about dissolving accountability. I'm all for changing this around.
I think you miss the point, and this is more the typical scenario than anything else. Microsoft issues patches that are highly unreliable, even till today. If we do a comparison to Ford, as per your scenario, Ford issues a recall, but Ford also has a reputation for fixing something and breaking something else, you'll let someone else take the fix, and wait in the bylines to see if the fix broke something for him/her. In fact, the unreliability of M$'s patches has become so widespread that typical IT shops manage their software with at least a 3 month testing/trial period even for software that is not demographically as bad or even as unreliable as M$'s. Again, the message is M$ should fix their software. Trying to automate the patch cycle without the permission of the user is and still does not solve the initial problem. Ciao ST Lim
(forgot to send to the list poo) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- [ Hobbes: What would you call the creation of the universe? ] [ Calvin: The Horrendous Space Kablooie! ] [ ]
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Bill Gates blames the victim Petr Swedock (Sep 03)
- Re: Bill Gates blames the victim Alexandre Dulaunoy (Sep 03)
- <Possible follow-ups>
- RE: Bill Gates blames the victim Robert Ahnemann (Sep 03)
- RE: Bill Gates blames the victim C. David Wilde (Sep 03)
- RE: Bill Gates blames the victim Lim Swee Tat (Sep 03)
- RE: Bill Gates blames the victim Brent J. Nordquist (Sep 03)
- Re: Bill Gates blames the victim Petr Swedock (Sep 03)
- RE: Bill Gates blames the victim Robert Ahnemann (Sep 03)
- RE: Bill Gates blames the victim Lim Swee Tat (Sep 03)
- RE: Bill Gates blames the victim Robert Ahnemann (Sep 03)
- RE: Bill Gates blames the victim Lim Swee Tat (Sep 03)
- RE: Bill Gates blames the victim Richard M. Smith (Sep 03)
- RE: Bill Gates blames the victim Nick FitzGerald (Sep 03)
- Re: Bill Gates blames the victim Valdis . Kletnieks (Sep 05)
- Re: Bill Gates blames the victim Nick FitzGerald (Sep 05)