Gregory, Given some hours to think about this topic, my post, and your thoughtful reply - I concur that you nailed it on the head and I read way too much into Fabio's post. And, because of the long-running thread, much of the initial assertion and report (true - it IS good work) was lost in the various poster's replies.
So, to that - I take complete blame for not following back far enough to understand the total context of the message. But, I will stand by my statement that the juicy target is still Windows and IIS. In another post - I stand corrected in the fact that Apache is, percentage-wise, a juicy target. Touch�. However, why write for Apache when IIS is so much easier still? IIS 6.0 makes strides.... But, the community as a whole will not truly be safer until the entire package is treated with the same 'crap - let's just re-write it' attitude. (This, naturally assumes that MS and it's products are in existence - if the counter takes place, it's not much of an issue...) Thanks for the reality check, Gregory. -rtk -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gregory A. Gilliss Sent: Saturday, September 27, 2003 1:09 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly I suspect we are starting a game of telephone ... It appears to me (and I'm going to be nice and *not* include the entire thread in the message ;-) that this started out with the citation of the CCIA paper regarding Dan Geer getting shown the door. The response (which was posted by Jon on behalf of Fabio) ends with the statement "These guys have done a GREAT WORK!" which appears to refer to the paper (Geer et al). Unfortunately that post was preceded by some rant and ramble that did not clearly support the final thought (namely "huzzah for Geer et al"). Taken individually, Fabio's points include: - Removing Microsoft's monopoly somehow also will remove AV companies - Microsoft doesn't give a rat's a** about security - Vulnerabilities can only be fixed before they become a business - Open source software has not been targeted by viruses - Open source rulez - Geer et al wrote a great report FWIW, my replies to the assertions (as I have enumerated them above): - false assertion - true assertion - ? - true (exploits, OTOH...) - agree - strongly agree With apologies to Fabio, I suspect that this may be an example of a non-native English speaker's post being misinterpreted. I truly doubt that the intent was to incite a discussion of Microsoft and/or virus writing. That was actually (and if Fabio reads this and disagrees I hope that he will correct me) just fodder for the final show of support for the report by Geer et al. For the record, I am withholding comment on Geer's separation and @Stake's position until and unless more facts come to light. I suspect several of the @Stake guys can read this and that they are free to participate in the discussion (...or maybe not). I stand by my prior post - the report stands on its own merits. G On or about 2003.09.26 23:07:14 +0000, Rick Kingslan ([EMAIL PROTECTED]) said: <SNIP> Find it yourself - clipped for brevity </SNIP> -- Gregory A. Gilliss, CISSP Telephone: 1 650 872 2420 Computer Engineering E-mail: [EMAIL PROTECTED] Computer Security ICQ: 123710561 Software Development WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
