Text 6094, 215 rader
Skriven 2005-07-16 12:29:18 av Geo (1:379/45)
Kommentar till text 6083 av Rich (1:379/45)
Ärende: Re: eeye's irresponsible self-serving behavior
======================================================
From: "Geo" <georger@nls.net>
This is a multi-part message in MIME format.
------=_NextPart_000_0060_01C58A01.FD13A290
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
from =
http://www.microsoft.com/downloads/details.aspx?FamilyId=3D049C9DBE-3B8E-=
4F30-8245-9E368D3CDB5A&displaylang=3Den
Overview
Microsoft Windows XP Service Pack 2 (SP2) provides new proactive = security
technologies for Windows XP to better defend against viruses, = worms, and
hackers.=20
The very first sentence specifically says exactly what I was saying, you = want
to argue, argue with Microsoft. It was not motivated by people = reporting
bugs, it was motivated by virus, worms, and hackers.
Geo.
"Rich" <@> wrote in message news:42d830cd@w3.nls.net...
You are mistaken. IMHO, there are two major visible areas of =
change in SP2. One are the changes enabled by new hardware support for = NX
together with related protection backported from Windows Server 2003 = SP1.
These are visible to developers but not much to end users so I = would not be
surprised if this isn't considered a major visible change = to many. There are
no bug fixes here. Just using the new capabilities = to mitigate against harm
if an attack manages to get through. The = second are the UI changes like
changing from modal dialogs and message = boxes to the modeless information bar
in IE or text and graphics changes = to existing warnings. Again there are no
bug fixes here. The purpose = of these changes is to further discourage users
from taking action = against their own interest. SP2 includes fixes like those
you expect to = find in an SP but nothing stands out in my mind.
As for the claim that eeye was doing anything except creating harm =
to the public for their own self-interest is laughable. Off the top of = my
head I can't think of any instance of eeye doing more than exploiting = trivial
bugs. This is why I have stated several times that their work = is interesting
only in the great harm they promote and not in any = technical sense. In
particularl it has the feel of being found by an = automated tool, which they
had claimed in earlier press. If you want = examples of folks that find
interesting stuff, look at some of the folks = doing HTML based attacks, which
are more likely design flaws not simple = bugs, or the Litchfields which report
on interesting areas though ones = that usually apply after exploiting some
simple bug.
One thing I find humorous is that you from time to time go off on =
some "think like a hacker" rant as if it is a reflection on how to find =
problems. The eeye folks issue press releases on not so interesting = problems
and fail to demonstate any thinking like a hacker in this = sense. Where they
do fit this term is if you use it in the sense of = "think like a criminal" in
that they make an effort to cause damage to = others for their own financial
gain. It is entirely within their power = to change from irresponsible
self-serving jerks to serve the greater = good and still sell their products
and eat. They choose not to. You're = not just excusing their reprehensible
behavior but encouraging it = reflects badly on you.
Rich
"Geo" <georger@nls.net> wrote in message news:42d81f37@w3.nls.net...
Almost all the stuff fixed in the biggest security update for =
windows, XPsp2, were motivated by worm writers, virus writers, and other =
exploit coders, not by people reporting bugs. Why weren't these changes = made
years before eeye existed when the security industry was hammering = on
microsoft for their unsafe defaults, insecure features, etc? It took = YEARS of
world wide infections to motivate Microsoft to act.
Geo.
------=_NextPart_000_0060_01C58A01.FD13A290
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1505" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>from <A=20
href=3D"http://www.microsoft.com/downloads/details.aspx?FamilyId=3D049C9D=
BE-3B8E-4F30-8245-9E368D3CDB5A&displaylang=3Den">http://www.microsoft=
.com/downloads/details.aspx?FamilyId=3D049C9DBE-3B8E-4F30-8245-9E368D3CDB=
5A&displaylang=3Den</A></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV>
<H4>Overview</H4>
<DIV class=3DDetailsContent id=3Doverview>Microsoft Windows XP Service =
Pack 2 (SP2)=20
provides new proactive security technologies for Windows XP to better =
defend=20
against viruses, worms, and hackers. </DIV>
<DIV class=3DDetailsContent> </DIV>
<DIV class=3DDetailsContent><FONT face=3DArial size=3D2>The very first =
sentence=20
specifically says exactly what I was saying, you want to argue, argue = with=20
Microsoft. It was not motivated by people reporting bugs, it was = motivated
by=20
virus, worms, and hackers.</FONT></DIV>
<DIV class=3DDetailsContent><FONT face=3DArial =
size=3D2></FONT> </DIV>
<DIV class=3DDetailsContent><FONT face=3DArial =
size=3D2>Geo.</FONT></DIV></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Rich" <@> wrote in message <A=20
=
href=3D"news:42d830cd@w3.nls.net">news:42d830cd@w3.nls.net</A>...</DIV>
<DIV><FONT face=3DArial size=3D2> You are mistaken. =
IMHO, there=20
are two major visible areas of change in SP2. One are the =
changes=20
enabled by new hardware support for NX together with related =
protection=20
backported from Windows Server 2003 SP1. These are visible to =
developers=20
but not much to end users so I would not be surprised if this isn't =
considered=20
a major visible change to many. There are no bug fixes =
here. Just=20
using the new capabilities to mitigate against harm if an attack =
manages to=20
get through. The second are the UI changes like changing from =
modal=20
dialogs and message boxes to the modeless information bar in IE or =
text and=20
graphics changes to existing warnings. Again there are no bug =
fixes=20
here. The purpose of these changes is to further discourage =
users from=20
taking action against their own interest. SP2 includes fixes =
like those=20
you expect to find in an SP but nothing stands out in my =
mind.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2> As for the claim that =
eeye was doing=20
anything except creating harm to the public for their own =
self-interest is=20
laughable. Off the top of my head I can't think of any instance =
of eeye=20
doing more than exploiting trivial bugs. This is why I have =
stated=20
several times that their work is interesting only in the great harm =
they=20
promote and not in any technical sense. In particularl it has =
the feel=20
of being found by an automated tool, which they had claimed in earlier =
press. If you want examples of folks that find interesting =
stuff, look=20
at some of the folks doing HTML based attacks, which are more likely =
design=20
flaws not simple bugs, or the Litchfields which report on interesting =
areas=20
though ones that usually apply after exploiting some simple =
bug.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2> One thing I find =
humorous is that=20
you from time to time go off on some "think like a hacker" rant as if =
it is a=20
reflection on how to find problems. The eeye folks issue =
press=20
releases on not so interesting problems and fail to demonstate =
any=20
thinking like a hacker in this sense. Where they do fit this =
term is if=20
you use it in the sense of "think like a criminal" in that they make =
an effort=20
to cause damage to others for their own financial gain. It is =
entirely=20
within their power to change from irresponsible self-serving jerks to =
serve=20
the greater good and still sell their products and eat. They =
choose not=20
to. You're not just excusing their reprehensible behavior but=20
encouraging it reflects badly on you.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Rich</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Geo" <<A =
href=3D"mailto:georger@nls.net">georger@nls.net</A>>=20
wrote in message <A=20
=
href=3D"news:42d81f37@w3.nls.net">news:42d81f37@w3.nls.net</A>...</DIV>
<DIV><FONT face=3DArial size=3D2>Almost all the stuff fixed in the =
biggest=20
security update for windows, XPsp2, were motivated by worm writers, =
virus=20
writers, and other exploit coders, not by people reporting bugs. Why =
weren't=20
these changes made years before eeye existed when the security =
industry was=20
hammering on microsoft for their unsafe defaults, insecure features, =
etc? It=20
took YEARS of world wide infections to motivate Microsoft to=20
act.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial=20
size=3D2>Geo.</FONT></DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0060_01C58A01.FD13A290--
--- BBBS/NT v4.01 Flag-5
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)
|