Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] Web sites compromised by IIS attack

from [Denis Dimick] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] Web sites compromised by IIS attack
Date: Wed, 30 Jun 2004 20:05:44 -0700 (PDT) 
Please see below..

On Wed, 30 Jun 2004, Frank Knobbe wrote:


On Wed, 2004-06-30 at 21:08, Paul Schmehl wrote:

I'm right there with you, Frank, on one condition.  You hold *every* 
software vendor to the same standard. 
[...]
If we're going to require that software vendors produce flawless products, 
we're not going to have many software products.  Even Postfix, which *to my 
knowledge* has never had a security issue, has had numerous bug fixes. 
(And I think so highly of Postfix that the first thing I do when I install 
a new OS is replace sendmail with Postfix.)


Heya Paul,

well, there is a difference between *free* stuff you choose to pull from
the Internet and run yourself. Community driven projects should require
that everyone running the product is doing there part to fix flaws (even
if it just means reporting it to someone who can fix it).


They pretty much do. That is if the application is one that users have 
found worth supporting.



The difference is with products you *pay for*. If you *buy* a product
you trade your money (perhaps chicken in other parts of the world) in
the amount considered to equal the worth of the product. You should
expect to receive a working product in return.

My beef is that we started to accept broken products, and we assumes the
task of fixing broken products ourselves. That task should not fall on
us but on the manufacturer.


So can I assume that you would allow a vendor to remotely patch your 
system? 




We need better methodologies for finding bugs in software. 


Right. But we also need better methodologies for vendors to fix their
products. The emphasis here is on "the vendor fixing the broken
product". It should not be a burden on the consumer, but on the vendor.



Like I said, Do you REALLY want a vendor to install patches for you?


And yes, I'm not targeting Microsoft in particular, although they are
the most blatant abusers of consumer rights. I intentionally included
all manufacturer of commercial software products.



I think Frank that your starting to point out a problem for M$ and other 
vendors. They don't have the money to support there products any longer. 
M$ has somewhere like 20,000 payed programers, How many programers are 
working on open source products? 100,000 plus, maybe more. How do you 
expect a company like M$ to compete? I don't think they can.

Denis


Cheers,
Frank
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-Disclosure] Web sites compromised by IIS attack, Denis Dimick
Next by Date:  Re: [Full-Disclosure] Web sites compromised by IIS attack, Denis Dimick
Previous by Thread:  Re: [Full-Disclosure] Web sites compromised by IIS attack, Frank Knobbe
Next by Thread:  Re: [Full-Disclosure] Web sites compromised by IIS attack, Denis Dimick
Indexes:  [Date] [Thread] [Top] [All Lists]