Re: New therad: sasser, costs, support etc alltogether

[Tobias Weisserth <tobias () weisserth de>]

Hi Radule,

On Fri, 2004-05-14 at 17:27, Radule Soskic wrote:
> I can't post this to all the threads that I would like to, so I'm
> opening a new one. 
>
> Follow this:
>
> 1. MS is wrongdoing by releasing (and charging for use of) software that
> has bugs in it. Users of such software have losses in time/money by
> trying to keep up with applying pathches, or just by trying to keep the
> uptime high.

Guess what. Everybody releases software that has bugs in it. That's
totally not the point. What MS does wrong is the non-disclosure of
security, the sometimes bad quality of the patches and their late and
untimely release (though the later isn't true with Sasser).

Still, these shortcomings (a more suitable word than wrongdoing) are no
crime.

> 2. Admins are wrongdoing by not applying patches to the systems they
> maintain. There are losses tied to such misspractice, too.

This is again a shortcoming but no crime. If I don't patch and nobody
exploits me, then where is the problem?

> 3. Worm authors are wrongdoing by writing software that propagate
> through the networks by exploiting all of the above. Again, the losses
> occur in time/money spent to remove the worms from the systems affected.

There's the financial loss on one side and the fact that they are in
fact criminals. All I'm asking for is that these crimes be punished by
the letters of the law.

> It is obvious that almost every legal system in the world treats #3 as
> crime, while #2 and #1 are broadly tolerated.

Exactly my point.

> Noone here is against the
> book of law, but it just seems to be in contrast to the natural and
> intuitive feeling of justice that majority of people might have
> regarding the issues like these. See - only one of the three wrongdoers
> is being punished. 

That's because the other two simply are shortcomings in contrast to
actually wrongdoing or crime with intent.

> Is it right? Or - is it wrong? 

Well, should a 16 year old girl, wandering late about New York Central
Parc be punished when somebody rapes her? Obviously she did something
wrong, wandering late at night and without protection in a dangerous
place? Should this wrongdoing of her be used in the legal defence of the
guy raping her?

> BTW, I have a funny feeling that damages/losses caused by #3 might very
> often be far less than the ones caused by #2 and #1. 

If I don't patch a bug and nobody exploits it I don't suffer damages.
Now, is not patching immediately leading to damages? Only if someone
actually exploits this bug. *Their* criminal behaviour is needed to make
my shortcoming a part of the problem.

> Am I alone?

I guess many people are scrambling to the rescue of this kiddo because
his victims were using "M$" products. Would the victims have been users
of OpenBSD products or some Linux distribution or VMS or some other
superior product, everybody would have gone for the kids head.

Let's be colourblind for a moment, OK? Let's pretend you don't know what
bug has been exploited on what product. Let's still suppose there has
been a patch available for two weeks and the problem was well announced
in the media. Now let's look at what the Sasser author has done, the
damages he has caused. I guess the reaction would have looked a bit
different. I've never heard of a fund being raised for the guys that
broke into the Debian server (well, they haven't been caught yet...).

This whole debate about MS guilt is hypocritical.

Who am I talking to anyway?! I'm not even using a single MS product...

Tobias

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html