Re: Who's to blame for malicious code?

[Tobias Weisserth <tobias () weisserth de>]

Hi Paul,

Am Di, den 20.01.2004 schrieb Schmehl, Paul L um 19:53:
> > This is too easy. It's the same with guns. People always 
> > blame the people who pull the trigger but the fact that guns 
> > are soooooo damn easy to get, even for minors doesn't startle 
> > a soul...
> This is a ludicrous argument.  Do you seriously believe that if all guns
> suddenly disappeared that murders would cease????  But this is
> completely off topic, so I'll leave it at that.

Well, let's end this with just one last statement: I'm rather glad that
most European nations don't handle gun control the way the US does. The
mortality rates concerning gun shots in the EU are FAR less than in the
States. 

> Returning more to the topic at hand, I agree with Mary that the writers
> of malicious code are to blame for much of the present problems, but I
> also think users must take some responsibility as well.  So should the
> writers of software.

You want to spread it even among all stakeholders ;-) How nice of you
;-)

But well, no.

Customer is king. This is most important. Always. Users rule.

Of course the people writing malicious code are criminals. But there
will always be criminals. There is no measure, ransom whatsoever that
could change this. Take the ransom MS offered on clues leading to the
arrest of virus writers. Not a single dime has been spent because this
is a total useless measure. Criminals are a constant. You can't
eradicate them. In my native language there's a saying, it goes
something like this: "Where there is an opportunity, there is a thief."
or "Opportunities make thieves".

The opportunities MS bundles with its software create massive amounts of
thieves. You don't have to be a studied computer engineer to write a
Bagle, Blaster or Nimda. In fact, it's even so easy that people writing
this stuff are referred to as "script kiddies". If you find a flaw in a
Windows service and you want to exploit it then you can always count on
the fact that millions of uneducated end users are running these
services to spread your plague. Well, I hear you saying it's the end
users fault. They need to be educated. This is plain wrong. It's the
vendors fault. He should disable everything that is not essential and
offer "opt-out" of this setting.

>   It's been proven conclusively in the US, IMNSHO,
> that you cannot legislate good behavior, no matter how much the
> politicians try, mostly to society's detriment.

We totally agree on that one. But doesn't this demand to ship software
in "secure by default" state rather than "I have my RPC port wide open
and I don't know noffin'" state?

> All the warnings in the world won't stop some idiots from flying to Nigeria to pick up their
> commissions, and all the security in software that you can possibly
> design in won't stop some people from doing stupid things that
> compromise their machine, *regardless* of how well designed it is.  You
> need only look at the number of compromised Unix machines worldwide to
> realize that the OS isn't the problem.

If you reread my post you'll note I never said, that it's the quality of
the MS software that leads to disaster. I'm talking about "opting in"
for security. THIS is the MS sin. And frankly, there's no excuse for it.

> In a perfect world, no one would write malicious code, and the OS you
> use wouldn't matter at all.  But we don't live in a perfect world, do
> we?

Exactly. Because we don't live in a perfect world I do expect that my
vendor ships me software without default settings that are risky. When I
need the additional feature, I'd rather enable it myself. If I don't
know how, then the better. I have to learn how to do it and I will bring
this risk to myself rather than share it unnecessarily with millions of
other users who don't need the additional feature.

> Yet, no matter what OS you use, you can find *someone* whose
> machine is compromised.

Yes. But there are very few OSs that keep being raped the way the
consumer versions of Windows are because they don't run unnecessary
services by default. THERE IS a big difference between Windows and
OpenBSD for example. This is not technical, this is philosophical.
Secure by default versus "opt in security if you need it".

The two examples I gave in my initial answer to you actually contain
that. I wonder why you didn't comment on them. What's your opinion on an
enabled RPC port by default in consumer OSs? Don't you think the simple
measure of shipping Windows XP Home without such a service enabled would
have stopped the spread of Blaster cold? I do.

cheers,
Tobias W.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html