Forwarded from: "Bill Scherr IV, GSEC, CGIA" <bschnzlat_private> Folks I think we can all agree that for most IT workers, Microsoft related issues top the list of answered calls. Even without that fact, processors with full keyboard input devices running microsoft software do outnumber those that don't. The primary users of the overwhelming majority of the machines running microsoft software expect the machine to run without regular maintenance or monitoring. Any dissenters? Let's step back in time for a moment. Pretend that you are designing complete digital communications system from scratch. Would you really give the more complex machines to all of your users? Would you propose that all users use that same Byzantine system? Would you stipulate that owners and operators of those systems be denied detailed information on the system's inner workings? OK, the engineers really don't have a say in all this. The answers to the above questions highlight why it is important to spread vulnerability, if not all internal information as far and wide and detailed as possible. We are literally flying blind. Unless we relentlessly echo the issues of this complex, monolithic, secret, ubiquitous system we have deployed, we have no hope of alerting everyone. I am not saying we should take out advertisements, or get it on the Evening News Shows. THAT would be counterproductive. But this list, of all lists, is one place for repeating issues with this system that was built without consulting the engineers Now, it is apparent that issuing patches is not working. The model is not likely to work for any software suite. Albert Einstein said "The problems that exist in the world today cannot be solved by the level of thinking that created them." We must adjust the paradigm. The direction of the shift will not be solved here. IMHO, we have a standards bodies, and they need more teeth. Either way, I believe the shift is already occuring. My $0.02 Mark, I applaud your full disclosure. I do not believe I have anything so pertininent to this issue to disclose! On 16 Dec 2002 at 5:17, InfoSec News wrote: > Forwarded from: Mark A. Simos <MSimosat_private> > Cc: myemailaccountat_private > > The attacks on Microsoft's security are getting repetitious and > counter-productive. There are plenty of flaws in many open source > products that could be listed and lambasted on a list such as this. > > IMHO, the attacks have worked and should be put aside until it is > obvious they are needed again. The company shutdown production for 2 > months and forced every developer to review every line of code. That > is a pretty serious commitment for a profit driven corporation. The > versions of the software most directly affected have not even been > released in production yet. > > How would you motivate a large number of home-users to patch > affected systems? RedHat et al currently still have the mixed > blessing of not having a large install base of unmanaged home PCs. > RedHat will face the exact same problem if/when it gains marketshare > in that area. then what? do they remotely as redhat root account > force people to patch? do they coax, cajole and try to sell patching > to end users? > > Full Disclosure: I work for the evil empire, get over it. > > FYI, I mean nothing special about redhat specifically, they are just > the most popular MS alternative in the US Bill Scherr IV, GSEC, GCIA Electronic Warfare Associates / IIT Lafayette RTI, Camp Johnson Colchester, VT 05446 802-338-3213 - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 13:12:58 PST