Text 6083, 227 rader
Skriven 2005-07-15 15:02:34 av Rich (1:379/45)
Kommentar till text 6078 av Geo (1:379/45)
Ärende: Re: eeye's irresponsible self-serving behavior
======================================================
From: "Rich" <@>
This is a multi-part message in MIME format.
------=_NextPart_000_00DA_01C5894E.3BEA1C60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
You are mistaken. IMHO, there are two major visible areas of change =
in SP2. One are the changes enabled by new hardware support for NX = together
with related protection backported from Windows Server 2003 = SP1. These are
visible to developers but not much to end users so I = would not be surprised
if this isn't considered a major visible change = to many. There are no bug
fixes here. Just using the new capabilities = to mitigate against harm if an
attack manages to get through. The = second are the UI changes like changing
from modal dialogs and message = boxes to the modeless information bar in IE or
text and graphics changes = to existing warnings. Again there are no bug fixes
here. The purpose = of these changes is to further discourage users from
taking action = against their own interest. SP2 includes fixes like those you
expect to = find in an SP but nothing stands out in my mind.
As for the claim that eeye was doing anything except creating harm to =
the public for their own self-interest is laughable. Off the top of my = head
I can't think of any instance of eeye doing more than exploiting = trivial
bugs. This is why I have stated several times that their work = is interesting
only in the great harm they promote and not in any = technical sense. In
particularl it has the feel of being found by an = automated tool, which they
had claimed in earlier press. If you want = examples of folks that find
interesting stuff, look at some of the folks = doing HTML based attacks, which
are more likely design flaws not simple = bugs, or the Litchfields which report
on interesting areas though ones = that usually apply after exploiting some
simple bug.
One thing I find humorous is that you from time to time go off on =
some "think like a hacker" rant as if it is a reflection on how to find =
problems. The eeye folks issue press releases on not so interesting = problems
and fail to demonstate any thinking like a hacker in this = sense. Where they
do fit this term is if you use it in the sense of = "think like a criminal" in
that they make an effort to cause damage to = others for their own financial
gain. It is entirely within their power = to change from irresponsible
self-serving jerks to serve the greater = good and still sell their products
and eat. They choose not to. You're = not just excusing their reprehensible
behavior but encouraging it = reflects badly on you.
Rich
"Geo" <georger@nls.net> wrote in message news:42d81f37@w3.nls.net...
Almost all the stuff fixed in the biggest security update for windows, =
XPsp2, were motivated by worm writers, virus writers, and other exploit =
coders, not by people reporting bugs. Why weren't these changes made = years
before eeye existed when the security industry was hammering on = microsoft for
their unsafe defaults, insecure features, etc? It took = YEARS of world wide
infections to motivate Microsoft to act.
Geo.
"Rich" <@> wrote in message news:42d7d564@w3.nls.net...
I can't speak for processes at vendors I have not seen but at =
ones I have plenty of bugs get fixed without the irresponsible = self-serving
behavior of eeye. For example, look at =
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt35/ussp3/RE=
ADME.TXT. This is from June 1995, years before eeye existed. You can =
see this is not the earliest but it is early enough to prove the point. = In
addition to integrated service packs, hotfixes have long existed. = When I
worked at Sperry they did the same. IBM has long done the same.
The folks at eeye can eat by making good products. What you =
assert is that they should remain in the protection market in the old = sense
by making threats and selling protection from the threats of their = own
making. This is reprehensible. They could just make good products = that
people value and sell them without creating threats and harming the = public.
Rich
------=_NextPart_000_00DA_01C5894E.3BEA1C60
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2668" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2> You are mistaken. =
IMHO, there=20
are two major visible areas of change in SP2. One are the changes =
enabled=20
by new hardware support for NX together with related protection = backported
from=20
Windows Server 2003 SP1. These are visible to developers but not = much
to=20
end users so I would not be surprised if this isn't considered a major =
visible=20
change to many. There are no bug fixes here. Just using the =
new=20
capabilities to mitigate against harm if an attack manages to get =
through. =20
The second are the UI changes like changing from modal dialogs and = message
boxes=20
to the modeless information bar in IE or text and graphics changes to =
existing=20
warnings. Again there are no bug fixes here. The purpose of =
these=20
changes is to further discourage users from taking action against their =
own=20
interest. SP2 includes fixes like those you expect to find in an = SP
but=20
nothing stands out in my mind.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2> As for the claim that eeye =
was doing=20
anything except creating harm to the public for their own self-interest = is=20
laughable. Off the top of my head I can't think of any instance of =
eeye=20
doing more than exploiting trivial bugs. This is why I have stated =
several=20
times that their work is interesting only in the great harm they promote = and
not=20
in any technical sense. In particularl it has the feel of being = found
by=20
an automated tool, which they had claimed in earlier press. If you =
want=20
examples of folks that find interesting stuff, look at some of the folks =
doing=20
HTML based attacks, which are more likely design flaws not simple bugs, = or
the=20
Litchfields which report on interesting areas though ones that usually =
apply=20
after exploiting some simple bug.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2> One thing I find humorous =
is that you=20
from time to time go off on some "think like a hacker" rant as if it is = a=20
reflection on how to find problems. The eeye folks issue = press=20
releases on not so interesting problems and fail to demonstate any =
thinking=20
like a hacker in this sense. Where they do fit this term is if you = use
it=20
in the sense of "think like a criminal" in that they make an effort to =
cause=20
damage to others for their own financial gain. It is entirely = within
their=20
power to change from irresponsible self-serving jerks to serve the = greater
good=20
and still sell their products and eat. They choose not to. =
You're=20
not just excusing their reprehensible behavior but encouraging it = reflects
badly=20
on you.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Rich</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Geo" <<A =
href=3D"mailto:georger@nls.net">georger@nls.net</A>> wrote=20
in message <A=20
=
href=3D"news:42d81f37@w3.nls.net">news:42d81f37@w3.nls.net</A>...</DIV>
<DIV><FONT face=3DArial size=3D2>Almost all the stuff fixed in the =
biggest=20
security update for windows, XPsp2, were motivated by worm writers, =
virus=20
writers, and other exploit coders, not by people reporting bugs. Why =
weren't=20
these changes made years before eeye existed when the security =
industry was=20
hammering on microsoft for their unsafe defaults, insecure features, =
etc? It=20
took YEARS of world wide infections to motivate Microsoft to =
act.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Geo.</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Rich" <@> wrote in message <A=20
=
href=3D"news:42d7d564@w3.nls.net">news:42d7d564@w3.nls.net</A>...</DIV>
<DIV><FONT face=3DArial size=3D2> I can't speak for =
processes at=20
vendors I have not seen but at ones I have plenty of bugs get fixed =
without=20
the irresponsible self-serving behavior of eeye. For example, =
look at=20
<A=20
=
href=3D"ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt35/=
ussp3/README.TXT">ftp://ftp.microsoft.com<FONT=20
=
color=3D#0000ff>/bussys/winnt/winnt-public/fixes/usa/nt35/ussp3</FONT><FO=
NT=20
color=3D#000000>/README.TXT</A>. This is from June 1995, =
years=20
before eeye existed. You can see this is not the earliest but =
it is=20
early enough to prove the point. In addition to integrated =
service=20
packs, hotfixes have long existed. When I worked at Sperry =
they did=20
the same. IBM has long done the same.</FONT></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2> The folks at eeye can =
eat by=20
making good products. What you assert is that they should =
remain in=20
the protection market in the old sense by making threats and selling =
protection from the threats of their own making. This is=20
reprehensible. They could just make good products that people =
value=20
and sell them without creating threats and harming the =
public.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Rich</FONT></DIV>
<DIV><FONT face=3DArial=20
size=3D2></FONT> </DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_00DA_01C5894E.3BEA1C60--
--- BBBS/NT v4.01 Flag-5
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)
|