On Wed, 17 Oct 2001, Steve wrote: > Worms and virus' have been created long before "security research" was > fashionable. Code Red, Nimda and a few of the more recent worms were > made possible not by the research that discovered the vulnerability they > exploited but by the lack of awareness and training by system > administrators who did not patch their systems. Never forget the developers and vendors who release vulnerable software and ship it to the clueless masses (and they know very well the vast majority of their target audience is clueless). They are the people who made all those disasters *possible*! Arguments about bugs and vulnerabilities being inevitable in ``all non-trivial software'' are bogus. The principle of least privilege has been known for decades. So has been the concept of TCB or the concept of mandatory access control or a large number of other ideas invented to reduce the impact of bugs, or even to make (some of) them completely irrelevant from a security point of view. But how many software systems exploiting these ideas do you know and use? A few...if any at all. On the other hand, a certain vendor put the whole webserver plus millions of lines of other junk within its OS's security perimeter and added an ability to run arbitrary code embedded in data files to every user application in their portfolio (often with full privileges of a poor user running the application). --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
This archive was generated by hypermail 2b30 : Sat Oct 20 2001 - 13:15:35 PDT