Re: MS04-025 - Ignorance is truly bliss....

[hellNbak <hellnbak () nmrc org>]

On Thu, 5 Aug 2004 someone pretending to have a nmrc email addy  wrote:

> But then, were the Internet and IT security still merely a hobby of a bunch
> of enthusiasts, you wouldn't be getting your paycheck, would you? You
> benefit from these changes, with all their side effects. You tell your
> customers to buy products, not to distrust the system, to uncloak treasons,
> or banish false prophets. You tell them what they want to hear, then cash
> the check so that you can afford to write rants about how the world should
> be. The problem with socialist utopias where all do their jobs best, and get
> exactly what they deserve, is that they all seem to fail quite miserably
> (how odd). Unjust exploitation, trickery to claim undeserved credibility or
> recognition, commercialization of everything you can capitalize on - that's
> what makes a country (or an industry) great.

The only mistake you make above is that you paint the entire industry with
the same brush.  Yes, I and a lot of people make money in this industry.
We took a hobby and made it a job -- why not?  Why not get paid for
something you enjoy.  Working in this industry does not automatically make
you a false profit as you explain above.

Over the long term -- no one will benifet -- and I dont care how big the
paycheck is -- telling a client what they want to hear is not the way many
of us choose to make a living.  Sure, there are a lot of people in EVERY
industry that are willing to push ethics aside and do what it takes for
that paycheck but I know I can look myself in the mirror and say that I am
not one of those people.

Eventually the false prophets are exposed, sure they already got their
paycheck and have moved on to the next sucker but eventually they run out
of suckers and money.


> What do you hope to achieve, or how do you believe your opinion is being
> relevant or novel, if you come to this audience, and state that CERT is no
> longer credible, and is a bunch of crooks who live off selling advance
> vulnerability warnings? Or that Microsoft is not exactly particularly devoted
> to improving security of their products and protecting their customers?

I hoped to stir some shit up, perhaps give the guys over at
secure () microsoft com a bit of a kick in the nuts as there was a time that
they were making at least a little progress.  I was hoping to draw enough
attention to this issue that perhaps someone from one of the major banks
will one day sit down and correlate the connection between vulnerabilities
such as this and losses due to fraud.  The only way that any vendor is
going to be forced to actually care about security and actually care about
users is when those users mean lots of $$$ to them.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html