| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mvp at joeware.net (joe) Subject: Reuters: Microsoft to give holes info to UncleSam first - responsible vendor notification may not be a good idea anymore... I didn't see Tamas' original note but this program isn't an early patch release program. It is a program for beta testing patches just like the other beta's MS and other companies do. It is simply locked down considerably more due to the possible issues surrounding it. The patches could definitely change prior to actual public launch. As such, the patches aren't intended to be loaded on production equipment and in fact it is explicitely stated to not load it in production if I recall corrrectly. The intent is for external customer test labbing to find the most egregious issues and functionality breaks they may cause so it doesn't impact the user community at large. The folks brought into the beta are the ones most likely to test the patches on a wide variety of scenarios. Unlike many of the other betas, you have an actual testing and feedback requirement and have to agree to that requirement before being allowed in. I previously was a consultant at a large company that was asked if they wanted to be in this program and we declined because we couldn't handle the additional workload that it required as a participant. We just didn't have the resources available. Here is a link that maybe makes the test nature a little more clear http://www.internetnews.com/security/article.php/3489586 -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of J.A. Terranson Sent: Saturday, March 12, 2005 12:15 PM To: Tamas Feher Cc: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] Reuters: Microsoft to give holes info to UncleSam first - responsible vendor notification may not be a good idea anymore... This "story" really just reflects what has been going on in the real world for some time now. Microsoft, Cisco, Juniper, etc., all have both vested interests and public policy interests in notifying those who would be most affected first. This is good public policy as well: if the national infrastructure is compromised, we are all up shit's creek, if Joe's Corner Store is compromised, only Joe and possibly Joe's small geographic user base is hosed. Decrying this shows you have not thought the problem through Tamas. -- Yours, J.A. Terranson sysadmin@....org 0xBD4A95BF "Quadriplegics think before they write stupid pointless shit...because they have to type everything with their noses." http://www.tshirthell.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Powered by blists - more mailing lists