[extropy-chat] SPAM: more news

Eugen Leitl eugen at leitl.org
Mon Feb 16 22:11:29 UTC 2004 

On Mon, Feb 16, 2004 at 11:36:20AM -0800, Russell Evermore wrote:

> Ohhhhhhhhh alright already! (I've already done some study on
> Thunderbird)

It's not necessarily a good MUA for you. I'd spend some time checking out the
alternatives.
 
> But here's the thing. Why do I keep getting stuck on the notion that
> IE and Outlook Express may simply "appear" more vulnerable because a
> gajillon seething, anti-Microsoft, Gates bashing,
> jealous-of-the-fact-a-geeky-nerd-actually-made-it-big, vandal
> mentality hackers keep relentlessly attacking these products?

It's remarkable how many things you can get wrong in a single sentence. IE
and Outlook/Outlook Express (which are deeply intertwingled, as both use the
same rendering engine for rich formats -- yes, this is one of the reasons why
rich formats are so evil) are 1) very buggy 2) being shipped by a vendor who
doesn't care about fixing known bugs; both of which is very well documented.

They're not being more attacked than the open source alternatives. The
opposite is in fact the case: far more h4x0r d00dZ write exploits against open
source systems. This is both because these are free, ship with quality tools,
and have a hacker culture, which crackers and script kiddies leech upon. And
come with source, exposing their soft white hairy underbelly. If get the source for a
closed-source *insecure* system leaked, you'll get the worst of all worlds.
Honest people will avoid looking at the code, lest they become tainted.
Blackhats will just snarf it up, and swap vulnerabilities through the
grapevine (the ones you see strut are just showing off, so they can found
their little security consulting rackets). You've seen the result of 
leaked code: 2.5 years old, a part of sources which is supposed to be safe; 
and we can already execute arbitrary code with a custom BMP image. 
Yeah, IE rendering engine, preview pane, you
know the drill. And that's just full disclosure wannabees. You never release
a good vulnerability, you just exploit it carefully, so that you never show
up on the radar.

They're not going to become vulnerable; the very opposite. A vulnerability
without exploit will never get fixed. You will only get a new patch when the
the latest exploit is already making the rounds. 
 
> Yes I will switch, I'll switch dammit, but may my new platforms never
> become overly popular, and may the creators of these products all look

Try 'diversity'. OS X doesn't have a good security school either, but you'll
see less h4x0rs who can write PowerPC shellcode, simply because Macs are too
expensive for them. And of course if address space is filled up with
heterogenous systems (which, incidentally, are more secure by default, simply
because Windows is such an awful piece of work) you'll get less fulminant
growth kinetics, once an worm starts cruising the local few-hop 'hood. And of
course only a fraction of the infrastructure will get taken out, instead of
blighting the entire acres over acres of monoculture cash crop.

> like Mel Gibson and Tom Cruise, and may everyone else keep on using
> Microsoft to keep this ugly hoard of orks otherwise occupied.

No, they actually should do their worst. And be a lot better than we're
getting now, because the h4x0r/script kiddie of today has no talent. It takes
more talent to exploit more hardened systems.
 
> And come to think of it, America is coming under a similar kind of

U.S. is just another country in North America, which is a yet another
continent. Relatively important still, but becoming less so by the minute, as
the rest of the world goes through with the programme.

> attack, so maybe we should all just abandon that as well to search for
> better security elsewhere - maybe Antarctica, or Mars.

Try artificial immune systems, along with natural diversity. It's all the
rage in the ivory tower, these days. 

-- Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org         http://nanomachines.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.extropy.org/pipermail/extropy-chat/attachments/20040216/ff6c3170/attachment.bin>

More information about the extropy-chat mailing list