What could have been done differently?

Scott Francis darkuncle at darkuncle.net
Wed Jan 29 01:58:39 UTC 2003


On Tue, Jan 28, 2003 at 11:22:13AM -0500, bicknell at ufp.org said:
[snip]
> That is, I think there is a big difference between a company the
> size of Microsoft saying "we've known about this problem for 6
> months but didn't consider it serious so we didn't do anything
> about it", and an open source developer saying "I've known about
> it for 6 months, but it's a hard problem to solve, I work on this
> in my spare time, and my users know that."
> 
> Just like I expect a Ford to pass federal government safety tests,
> to have been put through a battery of product tests by ford, etc
> and be generally reliable and safe; but when I go to my local custom
> shop and have them build me a low volume or one off street rod, or
> chopper I cannot reasonably expect the same.
> 
> The responsibility is the sum total of the number of product units
> out in the market, the risk to the end consumer, the companies
> ability to foresee the risk, and the steps the company was able to
> reasonably take to mitigate the risk.

*applause*

Very well stated. I've been trying for some time now to express my thoughts
on this subject, and failing - you just expressed _exactly_ what I've been
trying to say.

> > use for anything other than nailing stuff together.  Likewise, MS told
> > people six months ago to fix the hole.  "Lack of planning on your part does
> 
> It is for this very reason I suspect no one could collect on this
> specific problem.  Microsoft, from all I can tell, acted responsibly
> in this case.  Sean asked for general ways to solve this type of
> problem.  I gave what I thought was the best solution in general.
> It doesn't apply very directly to the specific events of the last
> few days.

Yes, in this particular case Microsoft did The Right Thing. It's not their
fault (this time) that admins failed to apply patches.

Of course, when one has a handful of new patches every _week_ for all manner
of software from MS, ranging from browsers to mail clients to office software
to OS holes to SMTP and HTTP daemons to databases ... well, one can
understand why the admins might have missed this patch. It doesn't remove
responsibility, but it does make the lack of action understandable. One could
easily hire a full-time position, in any medium enterprise that runs MS gear,
just to apply patches and stay on top of security issues for MS software.

Microsoft is not alone in this - they just happen to be the poster child, and
with the market share they have, if they don't lead the way in making
security a priority, I can't see anybody else in the commercial software biz
taking it seriously.

The problem was not this particular software flaw. The problem here is the
track record, and the attitude, of MANY large software vendors with regards
to security. It just doesn't matter to them, and that will not change until
they have a reason to care about it.
-- 
-= Scott Francis || darkuncle (at) darkuncle (dot) net =-
  GPG key CB33CCA7 has been revoked; I am now 5537F527
        illum oportet crescere me autem minui
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20030128/d3afd889/attachment.sig>


More information about the NANOG mailing list