[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Re: MS not telling enough - ethics

To: perfectirijillo@xxxxxxxxx, jasonc@xxxxxxxxxxx
Subject: Re: [Full-disclosure] Re: MS not telling enough - ethics
From: "DAN MORRILL" <dan_20407@xxxxxxx>
Date: Thu, 18 Aug 2005 18:31:51 +0000

Good afternoon folks,

You know I find this interesting in that we are stating ethics, and this is something that is important to the information security community at large. So who's ethics do we apply, if I was to follow the CISSP code of ethics, in that consorting with non-professionals, would mean that I could not teach information security in college (which I do), nor could I teach what I know to developers or programmers or others who are not information security professionals (which I do) to help them develop better products. One of the reaons why I don't have a CISSP is because of that clause in the code of ethics, I would violate it right and left everytime I got in front of a classroom.

So what we need is a universal code of ethics that everyone could agree on (herding cats by the way can be entertaining). So how ethical was it for someone to post anon about msdss.dll this morning and how many people did they put at risk (even if it took someone 6 months to do something, heck Oracle has taken over 2 years to fix a security issue, very few whine about them).

Do we know of a software company that is not guilty of not patching now, today, this very instant? So before we go off slamming people, we need to take a look at our own house first, how do we fix our problems in information security, as they said at DefCon 2005 Bring your brains, leave the attitude.

We need to do that more often, and stop slamming on each other, and start setting real standards that can be directly applied, much like doctors, lawyers, nurses. We have the same ability to ruin other people's lives as any doctor, lawyer or nurse. We need accountablity against those standards, much like any other profession.

Until the day comes when we as a group can do this, this is an interesting side note, but what if anything are people actually doing. We do need a universal and agreed way of doing things, like for instance Forensics, hack and pen, proccedures, et al. But we don't have them, we have widely scattered guidelines. We have no offical body to hold the community standards (we really don't have any thing that is otherwise vauge). We have no universal standard of competency in the IS field or any of its subsets.

So much like an earlier thread on this one, so what are "we" going to do about it?

R/Dan

Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. Please resend when you get those, it does not mean that the mail box is bad, merely that MSN mail is over worked at the time.

From: J u a n <perfectirijillo@xxxxxxxxx>
To: Jason Coombs <jasonc@xxxxxxxxxxx>
CC: Full-Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Re: MS not telling enough
Date: Thu, 18 Aug 2005 15:12:57 -0300
On 8/18/05, Jason Coombs <jasonc@xxxxxxxxxxx> wrote: > > So there ya go. I suppose you'll > > find something new to complain > > about, or to be rude about. > > Whenever possible, yes. > > It's amazing how much you support Microsoft. Don't you know that it is in the continued support that you give them that they derive their continued opportunities to harm others? > > Of course, the more you and others support Microsoft, the more your expertise grows in value. > > Compare your decision-making and ethics to the decisions made by me and others who, after hard work and sacrifice to gain over a decade worth of training, education, skill and work experience with Microsoft products, grew to understand that it causes harm to the entire world for us to apply that skill in any fashion that helps Microsoft. > > I swore an oath never again to apply my skills in a way that helps Microsoft. > > ... or to help any other organization that knowingly causes harm with reckless disregard for the well-being of others. > > Integrity, competency, and those who prove they are good people must be supported, and anyone who lacks integrity, competency, and has proven they are bad must be opposed. > > To do otherwise demonstrates the same self-serving and wrong thinking that enables Microsoft to con its victims in the first place. > > Glad to see Microsoft give an opinion that more clearly explains that their Windows 2000 product is inherently defective and shouldn't be used if you intend to connect it to a computer network. > > That was the conclusion that I arrived at after performing a forensic review of IIS 5.0 -- you'll find my analysis contained within my book about IIS security: > > http://www.science.org/jcoombs/ > > http://www.forensics.org/IIS_Security_and_Programming_Countermeasures.pdf > > Best, > > Jason Coombs > jasonc@xxxxxxxxxxx > > > -----Original Message----- > From: "Kurt Seifried" <listuser@xxxxxxxxxxxx> > Date: Thu, 18 Aug 2005 11:00:04 > To:<jasonc@xxxxxxxxxxx> > Subject: MS not telling enough > > They just updated MS05-039. > > Windows 2000 systems are primarily at risk from this vulnerability. Windows > 2000 customers who have installed the MS05-039 security update are not > affected by this vulnerability. If an administrator has disabled anonymous > connections by changing the default setting of the RestrictAnonymous > registry key to a value of 2, Windows 2000 systems would not be vulnerable > remotely from anonymous users. However, because of a large application > compatibility risk, we do not recommend customers enable this setting in > production environments without first extensively testing the setting in > their environment. For more information, search for RestrictAnonymous at the > Microsoft Help and Support Web site. > > So there ya go. I suppose you'll find something new to complain about, or to > be rude about. > > -Kurt > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
Ok, I think it's time to filter your email from my inbox.
Don't take it the wrong way, but I don't care about your fights with
some guy named Kurt,
or the stupid forensic dudes or the laws or politics of your country.
All I care about is securiy, if I ever want to discuss other stuff
I'll subscribe to another
list, forum, whatever.
Have a nice day.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_________________________________________________________________ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Re: MS not telling enough - ethics
  - From: TheGesus
- Re: [Full-disclosure] Re: MS not telling enough - ethics
  - From: Jeremy Bishop
- [Full-disclosure] Re: not telling enough - ethics
  - From: Bennett Todd

References:
- Re: [Full-disclosure] Re: MS not telling enough
  - From: J u a n

Prev by Date: Re: [Full-disclosure] Re: MS not telling enough
Next by Date: Re: [Full-disclosure] Re: MS not telling enough
Previous by thread: Re: [Full-disclosure] Re: MS not telling enough
Next by thread: Re: [Full-disclosure] Re: MS not telling enough - ethics
Index(es):
- Date
- Thread