And I include myself in that group. This is a problem we all cause and suffer from.
I was reading through a blog entry by Anton Chuvakin over at O'Reilly (http://www.oreillynet.com/pub/wlg/7749#thread) and followed a link (http://www.misterpoll.com/1895245195.html) to where, at time of writing, 87% of people voted the vendors as being the most responsible for software vulns.
I understand that sentiment, but it's misplaced. It does very little to get vendors to fix things. It's similar to what I and my wife call 'Toronto Disease'. If you don't live in Toronto, then you may not have witnessed that when Torontonians see something that pisses them off, rather than do anything about it, we glare and bitch to each other about what a jackass the person is being. We seldom, if ever, actually go up to the person and talk to them about what they're doing and where/what the fault is, nor do we remove ourselves from the situation. In other words, we complain and do very little to fix it and make our lot better. Then again, we don't start imbroglios based on specious intelligence either. It's good to hold back sometimes ;)
It's the same with software. Let's take the crap that Microsoft, Oracle and others publish. Yeah it's riddled full of holes that they try to hide while giving the customer the Patch Tuesday reach-around so they feel good. But does anyone really think the situation is improving? I'm sure numbers could be trotted out to say things are getting better, but c'mon - are your days substantially better with their glorified new security initiatives?
If I may lame out and reuse a quote from a blog comment I left, it's that "You can't blame the butcher for selling what people are buying". You aren't doing anything to change the world and make it a better place by yelling "Oh poor me! The vendors make crap! They're so evil - damn them!". Well guess what - YOU, THE HORDES OF COMPLAINERS, are the ones to blame.
Until we learn to suffer and do without, rather than buy the crap for sale, the situation is not gonna change. Until you learn that some stuff you should do yourself rather than fork out cash, it's not gonna change. Here's one area where Open Source shines. Until you vote with your feet and your dollars, THINGS ARE NOT GONNA CHANGE. Take responsibility for yourself.
Comments (4)
There's NO question that the protection of a computer is a balance of user and technology. And I agree that end-users must educate themselves.
However, most AntiVirus & AntiSpyware software's default settings do NOT scan for all possible problems! And the default settings for most commercial Wireless Networks are withOUT Security turned on! Some examples:
SpyBot Search & Destroy
1) Launch program and check for (& install) updates
2) Select “Advanced Mode” from the “Mode” pull-down menu
3) Click on the “Tools” button on the side toolbar
4) Select ALL Tools except for the “Bug Report” (only needed when troubleshooting the SpyBot program)
5) Click on the “Settings” button on the side toolbar
6) Click on “Ignore Products”
7) Select “All Products” – then right-mouse click on the list and “Deselect All” items, but (re)select “DSO Exploit”
8) (Re)immunize to include the newly included “All Products”
9) Click on “Check for problems”
--------------------------------------------------------------------------------
Lavasoft’s AdAware
1) Launch program and check for (& install) updates [click on "Check for updates now" -- click "Connect" to continue, then "Finish"]
2) Click "Start" to begin scanning.
3) The first time requires that we configure the settings -- click on "Customize" (Change all items that are RED "X" (not grey) to GREEN "Check") -- Select ALL of your local hard drives
4) Click "Customize" to select this type of scanning
5) Click "Next" to begin scanning.
--------------------------------------------------------------------------------
Microsoft’s AntiSpyware
1) Launch program and check for (& install) updates (under the File pull-down menu)
2) Click on “Scan Options”
3) Select “Run a full system scan’
4) Ensure that all check boxes are selected (as well as ALL of your local hard drives)
5) Click on “Save these options” then “Run Scan Now”
Posted by Blake Handler | October 3, 2005 2:41 PM
Posted on October 3, 2005 14:41
So, uh, then we shouldn't use Linux because bugs have been found in Linux.
Or, anything else.
That is really stupid and conceited.
It means your own code has not been well tested.
Posted by anonymous | October 3, 2005 4:57 PM
Posted on October 3, 2005 16:57
Ok, so how do you evaluate the software you're about to buy?
Posted by Adam Shostack | October 3, 2005 6:24 PM
Posted on October 3, 2005 18:24
> Ok, so how do you evaluate the software you're about to buy?
I don't buy software in a business capacity; that's a responsibility handled by other folks at nCircle. This way we keep our licensing above board and behave legally.
The few times I have purchased software myself, for myself, it's usually because I've aquired an unlicensed/cracked/pirated copy first and tried it out. Or it's back when I was a Microsoft weenie and didn't know better. If it works and I can tolerate it, I generally buy it. It goes without saying that I've researched it first and tried out competitors, preference being given to free software versions with source provided. This way I can fix bugs or things that bother me, something I *have* done in the past, though more often than not I'm insufficiently skilled to pull it off.
> So, uh, then we shouldn't use Linux because bugs have been found in Linux.
> Or, anything else.
> That is really stupid and conceited.
> It means your own code has not been well tested
Take a breath, and read the article again. I never said that Linux is bug free, or that anything is and ever could be. I think you're reading your own agenda into things.
It's about responsibility and what it would take for a solid resolution. I never said that we couldn't or shouldn't use any buggy software until things are better. I was promulgating the belief that one must understand the situation, and accept the crap we use, and our culpability in the whole process. There's no point mindlessly complaining when we're part of the problem. Better to create new opportunities and fix the problem ourselves than relying on vendors.
Posted by Byron Sonne | October 4, 2005 8:51 AM
Posted on October 4, 2005 08:51