On Jun 8, 2010, at 10:37 PM, Paul Ferguson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, Jun 8, 2010 at 10:22 PM, Owen DeLong <owen@delong.com> wrote:
Please, be for real -- the criminals go after the entrenched majority. If it were any other OS, the story would be the same.
If this were true, the criminals would be all over Apache and yet it is IIS that gets compromised most often.
Actually, that is another fallacy.
The majority of SQL Injections are on Apache-based systems.
SQL injection is an SQL attack, not a compromise of the HTTP daemon itself (usually partially a compromise of PHP or similar scripting language). The majority of compromises (buffer overflows, etc.) against the web server itself are IIS.
Look, this isn't a blame-game in which we need to point out one vendor, operating system, plug-in, browser, or whatever.
Agreed... All vulnerable vendors should be treated the same. If you are selling software without source code and making money as "professional developers" by selling that software, then, it should come with liability for the damages caused by your failure to secure the software properly. If you're providing source code and allowing others to use it and you are not getting paid for developing it, then, obviously, it is ridiculous to hold you liable since the person who chose to use your source code has the ability to fix it to resolve any security issues.
The problem is that it is a wide-spread problem wherein we have millions of compromised consumer (and non-consumer) hosts doing the bidding of Bad Guys.
Yep.
I would certainly love to hear your solution to this problem.
Hold the owners of compromised systems financially liable for the damage they do. Make it possible for said owners to subrogate such claims against any suppliers of commercial closed insecure software which contributed to the compromise of their systems.
And stop pointing fingers.
No finger pointing there, just actual liability targeted at those actually resposnible. Owen