product liability (was 'we should all be uncomfortable with the extent to which luck..')

Jonas Luster jluster at
Wed Jul 25 13:47:47 UTC 2001

* Dan Hollis sez:

: Microsoft is advertising "high security padlocks", but is instead selling
: locks that dont work at all.

After finding out they were flawed, Microsoft offered everyone a
replacement/bugfix. While there's no proof that these padlocks are
actually high-secure, they are more secure than what came with the
purchase initially.

Microsoft has - and I believe Firestone would do the same - informed all
registered customers as soon as the fix was available. In addition there
was quite some buzz about the .ida vulnerability a while ago.

While one might argue that it's Microsoft's resposibility to communicate
those flaws better, they indeed offered better padlocks and a mechanic
(setup.exe) to install them.

A customer refusing to open his door to the guy walking around and
informing him of flawed tires, not opening his mail and - even if aware
that the padlocks are screwed - neglects to put the new ones on (at no
cost, mind you), should be slapped with the UNIX bible until unconscious
for endangering others and himself in a particularly stupid manner.

Let's just repeat that:

- Microsoft is a known flawed OS

- IIS is a known flawed component of this flawed OS

- There are more than a few sites out there selling or offering security
  advise for free

- The fix has been out for months

- The fix has already been exploited by smaller, less media active worms

- The owners of said Websites in some/most cases offer services to a
  third party, are therefore by no means 'the poor schmock with the
  Firestone tires' but rather 'the owner of Ryder, Inc.'. These servers
  put customer data and confidential information in jeopardy long before
  the worm struck and in quite a few cases still do, even though most of
  the attack points are fixable.

- Few of the infected hosts have learned a damned thing from this
  attack, just look for iisadmpwd at those hosts - a week after the

... facts dutyfully ignored by said 'Administrator's of said boxen.

In this case network and system administrators had a bad time with long
hours trying to stop something from happening that did not need to
happen and that would have not happened would 90% of the socalled
Internet Experts out there understand even the basics of their work.

I am not ready to push the blame towards M$, even though I'd love to see
that Monopoly drown in a big bucket full of the tears and sweat shed by
innocent bystanders who got hit by crap like this one, but in this case
the perp sits somewhere else and needs to - at least for once - be made
aware of the mess he created and the costs that resulted from it.

<@rs> someone the other night suggested that defcon was actually about
      drinking, not hacking
<@rs> so i went to my wine rack and did some port scanning.
<@rs> i found warez
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list