Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Full-Disclosure] Web sites compromised by IIS attack
From: Denis Dimick (denisdimick.net)
Date: Wed Jun 30 2004 - 22:05:44 CDT
Please see below..
On Wed, 30 Jun 2004, Frank Knobbe wrote:
> On Wed, 2004-06-30 at 21:08, Paul Schmehl wrote:
> > I'm right there with you, Frank, on one condition. You hold *every*
> > software vendor to the same standard.
> > [...]
> > If we're going to require that software vendors produce flawless products,
> > we're not going to have many software products. Even Postfix, which *to my
> > knowledge* has never had a security issue, has had numerous bug fixes.
> > (And I think so highly of Postfix that the first thing I do when I install
> > a new OS is replace sendmail with Postfix.)
> Heya Paul,
> well, there is a difference between *free* stuff you choose to pull from
> the Internet and run yourself. Community driven projects should require
> that everyone running the product is doing there part to fix flaws (even
> if it just means reporting it to someone who can fix it).
They pretty much do. That is if the application is one that users have
found worth supporting.
> The difference is with products you *pay for*. If you *buy* a product
> you trade your money (perhaps chicken in other parts of the world) in
> the amount considered to equal the worth of the product. You should
> expect to receive a working product in return.
> My beef is that we started to accept broken products, and we assumes the
> task of fixing broken products ourselves. That task should not fall on
> us but on the manufacturer.
So can I assume that you would allow a vendor to remotely patch your
> > We need better methodologies for finding bugs in software.
> Right. But we also need better methodologies for vendors to fix their
> products. The emphasis here is on "the vendor fixing the broken
> product". It should not be a burden on the consumer, but on the vendor.
Like I said, Do you REALLY want a vendor to install patches for you?
> And yes, I'm not targeting Microsoft in particular, although they are
> the most blatant abusers of consumer rights. I intentionally included
> all manufacturer of commercial software products.
I think Frank that your starting to point out a problem for M$ and other
vendors. They don't have the money to support there products any longer.
M$ has somewhere like 20,000 payed programers, How many programers are
working on open source products? 100,000 plus, maybe more. How do you
expect a company like M$ to compete? I don't think they can.
Full-Disclosure - We believe in it.