lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: hades at psilanthropy.org (Anders Langworthy)
Subject: Reuters: Microsoft to give holes info to Uncle
	Sam first - responsible vendor notification may not be a good idea
	any	more...

J.A. Terranson wrote:
> This "story" really just reflects what has been going on in the real world
> for some time now.

Yes.  Another incident from two years ago that demonstrates this 
philosophy quite well:

[From http://www.eweek.com/article2/0,1759,921855,00.asp]
[FEDS MOVE TO SECURE NET]

"The most significant move is the development of a private, 
compartmentalized network that will be used by federal agencies and 
private-sector experts to share information during large-scale security 
events...

"Sachs...pointed to last week's handling of the critical vulnerability 
in the Sendmail Mail Transfer Agent package as a prime example of how 
such back-channel communication between vendors, researchers and the 
government can help protect end users. Researchers at Internet Security 
Systems Inc., in Atlanta, discovered the vulnerability in mid-February 
and immediately notified officials at the White House and the Department 
of Homeland Security.

The government quietly spread the word among federal agencies and, along 
with ISS, began contacting the affected vendors. After the vendors 
developed patches, the fixes were deployed quickly on critical 
government, military and private-sector machines before the official 
announcement of the vulnerability."

Powered by blists - more mailing lists