[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Support the Sasser-author fund started

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Support the Sasser-author fund started
From: James Bliss <james.bliss@xxxxxxxxxxx>
Date: Sat, 15 May 2004 23:07:14 -0500

> Imagine you own a home and installed a security system on all the doors
> and windows.  You set the alarm and leave for a weekend.

OK

> A thief comes up to your house, breaks a window, and slides through the
> opening.  The alarm does not go off because the thief found a
> vulnerability in the security system.
>
> Do you blame the security company that installed your intrusion
> detection system?

Yes, and then I sue the security company for failure to provide what was 
paid for.  I believe this would be a warranty provision which the security 
company breached.

> Plus, most of the software is released to the public in the form of
> Betas or Release Candidates months ahead of the release date.  If
> identifying security holes was that easy then why aren't there more
> vulnerabilities reported before the 'gold' release of products.

The primary purpose for this realease is to allow a specific group of 
developers and software companies the opportunity to prepare for the new 
release.  It is not specifically released for security testing although I 
am certain that this is performed to a limited extent (although it would 
be more fruitful if they paid for security audits rather than assume they 
are performed gratuitously)

> I do expect that any computer user should have fundamental security
> training before using it.  After all, the computer is a tool.  Nobody
> should operate a microwave or chainsaw without reading the safety
> instructions.  The same care should be taken for computers.

Therefore we should license computer users and require tests before they 
are allowed to buy and/or use a computer?  Something along the lines of a 
drivers license?  Also, have you seen some of the absurd warning in the 
operating manuals - 'Do not touch the chain saw blade while in motion'.  
Perhaps all computers sould have a warning - 'Do not use if you are an 
idiot'.  But then most internet commerce would cease...


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Support the Sasser-author fund started
  - From: Ron DuFresne

References:
- [Full-Disclosure] Support the Sasser-author fund started
  - From: support-sasser
- Re: [Full-Disclosure] Support the Sasser-author fund started
  - From: Georgi Guninski
- Re: [Full-Disclosure] Support the Sasser-author fund started
  - From: Shane C. Hage

Prev by Date: RE: [inbox] Re: [Full-Disclosure] Support the Sasser-author fund started
Next by Date: [Full-Disclosure] Re: Support the Sasser-author fund started
Previous by thread: Re: [Full-Disclosure] Support the Sasser-author fund started
Next by thread: Re: [Full-Disclosure] Support the Sasser-author fund started
Index(es):
- Date
- Thread