pooh sun tzu, what I meant with the allagory was, when you find a hole, even if you can't fill it in right away.....it is better to mark it as a hazard than to cover it up and hope no one stumbles into it.
Printable View
pooh sun tzu, what I meant with the allagory was, when you find a hole, even if you can't fill it in right away.....it is better to mark it as a hazard than to cover it up and hope no one stumbles into it.
I agree, but the point was the example doesn't apply to the computer security situations :) When people hear about exploit information in computer security situations, the script kiddies run to it in herds and we have exploitation problems while we wait for the vendor to repair it. When people hear about a hole in the ground, they make sure to not fall into it, rather than run to it and try to jump into it.
See what I mean? The difference is with computers script kiddies WANT to fall into the hole and cause damage. In the forest, no one wants a sprained ankle.
Don't get me wrong, I see your side completely and how it applies to most every situation in a common day. I honestly do. But script kiddies aren't common people, and the network security world behaves differently when a hole is in a network.
however it isn't as if the park ranger is trying to hide a pit he found himself...someone else told he about it after he stubbled upon it. on of the many explorers in the forest and the next stumble could be fatal.
its not as if were talking about DoSing a web server, setting up a warez site or writing to an ftp directory. its not about someone tricking someone into going to a malicious webpage and getting a trojan, we're talking about kerberos, ntlm and the complete compromise of entire networks with system privilages here. no esculation required. its not a hole in the woods its highways collapsing and the people riding upon them should know.
I'm not to sure how my whole post was nothing more than troll bait, but I still think a valid concern is in this E-mail message I posted showing Microsoft's scanners showing this secured when they really are not. Microsoft does not give one **** about customers, they care about money.
I agree with Ted completly here.
If I am going to drive down I-Microsoft, I damn well better know when they took the bridge out, as I don't feel like sinking in my car to the bottom of lake security that it once covered.
*stands alone as one of the few, rare MS supporters?*
And here come the "you're a sheep" comments, I know it.
SonofGalen. You make the assumption that Joe public is no threat. I would say that as he encompasses evryone in the world, that he is very much a threat. Joe average, may not be however. Joe average would not no a back door from his arse, but Joe publlic incorperates retards aswell as very intelegent people, some of which may well be aspiring black hats.
So lets all tell them how to bugger us about. Save them the research why not.
Why call you a sheep? I already said that and said why I thought so, you in turn reported me. Just out of curiousity, why even take me off ignore. I know you don't like me, so why reply to anything I say? I made a post giving my opinion, and then copied and pasted a few things I found that were relevent to the topic, you replied saying it was troll bait.
I don't care if you don't like me, that's your choice, and alot of people agree with you, but why reply with saying everything I said except one thing was troll bait? I copied and pasted that from a security list I belong to, from someone who used those scanners..... Where and how is that troll bait?
Bah, **** it, I have more important things on my mind. There's nothing I'm going to say that's going to change the way you think, and I'm not going to bother. Wondering where I'm going to live in a few months after I get ditched again is a bit more important than trying to make someone who believs what they are told to open the mind is about as useful as a Tool CD to Brittney Spears.
Neither would understand it, and neither could comprehend it.
Now go put me back on ignore, which is by the way is the reason I couldn't reply to your OS thread. I tried replying as that is my area of skill, but couldn't because you ignore me. Untill of course I say something you take as a direct attack for some reason.
Back on topic.
Joe public, can be a threat. If you'v ever talked to admins for companies using Windows, Joe opens every e-mail sent to him, and this can be a bad risk for security. My Doom wasn't spread because a bunch of gurus actually opened and installed something that said it was from Microsoft.
It was spread because of people who, after YEARS of hearing not to open things, were stupid enough to do so anyway. As much as I hate SCO, I have come to realise, that even though I think they deserved a whack on the ass, they did not however deserve to lose money.
There are alot of people who hate me, and they may think I deserve to lose money to. So of course I have matured a little bit more, (Bet someone just fainted over that one), But I know just because you are hated, does not mean you should be going broke over some virii writer, even though he does seem to be damned skilled.
I never meant that Joe Public wasn't a threat. Just that 90% of the people out there aren't.
This is one of those catch 22 arguments. To say a black-hat won't take advantage of a publicized vulnerability is crazy. But to also say a disclosure won't benefit white-hats is also crazy. In addition; to hastily release patches that affect a module or say a .dll used by hundreds of thousands of 3rd party software products is also crazy. The risk of additional security holes and closing a conduit or process used by those thousands is a huge risk. When vulnerabilities are discovered at the low Linux kernel level, they don't release a path over night, every time. I remember one that took months.
Most of the time Linux patches only affects a couple of software products, that's it. When you compare that to the complexity of windows; it just doesn't equal out. It's open architecture and simplicity (in terms of raw speed over ease of use) that is the attraction to Linux, plus it's free for the most part. Windows and Linux both have excellent returns on investment when used to meet some need we each have.
You don't have to be a Microsoft zombie to recognize windows for what it is, Microsoft aside, it ****ing big complicated software, perhaps the largest and most complicated piece of code on the planet. It's closed source so thousands of programmers can't look at a piece of code and fix it, but even though you don't agree with it, Bill has the patent and one should be able to patent things if they desire in this country. If you want to modify code and have the support of thousands of cool programmers, use Linux.
So while there are good arguments on both sides of the disclosure issue, I think it boils down to: specific modules that are affected, the risk of public exposure and the ability or risk associated with the capability for some black-hat to exploit it. These seem to be factors in disclosing information. Perhaps partial disclosure could be a catch all? Who knows, we admins or whatever we call ourselves, don't publicize security breaches to our customers without analyzing the risk and fallout (if at all) Unless your in California where you are forced too.
Side note: Until all these great security sites starting popping up since y2K, there was always some secret Linux s’ploits running around the underground. The world was wide open in the 90s and the lambs didn't even know it. Microsoft wasn't even a big server player then and one could travel where ever they pleased.
-------Warning--------The FCC might view this next bit as bad as an ugly tit on TV. ----
HIDE YOUR EYES. This one is for gore. "....about as useful as a Tool CD to Brittney Spears." Yeah but imagine, her completely stoned in your bedroom with "Tool" cranking in the back ground. Wait - make it my fav, "Undertow" at full volume. She has a smile on her face and (had to delete this).
That wasn't the point I was making, the point is that whatever M$ do, the will get slated for it.Quote:
Originally posted here by Tedob1
steve if you think that keeping the fact that there are enormous holes in its security a secret serves the interests of the customers ill have to disagree.
I think that in general M$ should have the same options as say linux and release patches quickly, even if those patches require more patches soon after, without having everyone complain about their poor abilities etc.
At least that way they could respond quickly to vunerabilities and could therefore publish them as they are found.
Steve