lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 25 Nov 2008 01:44:08 -0500
From: "Memisyazici, Aras" <arasm@...edu>
To: <full-disclosure@...ts.grok.org.uk>,
	<bugtraq@...urityfocus.com>
Subject: Microsoft takes 7 years to 'solve' a problem?!

<RANT>

<snip:: taken from MSRC Blog: http://blogs.technet.com/msrc/archive/2008/11/11/ms08-068-and-smbrelay.aspx>

What we released today with MS08-068 is that security update. It addresses the SMBRelay issue (discovered in 2001) does so in a way that doesn’t have the negative impact on applications that we originally believed addressing this issue would have.

</snip>

So... Hmm... I wonder what would happen if the rest of the world followed suit with M$' approach, and took 7 years to "fix" an issue in order to "not cause a significant impact"...

Scenario:

Ppl: Hey Ford, if one brute-forces the keyless entry on the door, you're car explodes...

Ford: well... I'll offer you three choices, two immediately, and the last one 7 yrs later. You can either not use the keyless entry system (we'll give you some shiny duck-tape to cover it) or you can use the biometric-knub system which requires that you have a knub... So those who have arms & legs can't use the system... (btw this will give birth to a whole new industry that will allow ppl to pay money for a product that fakes a knub for people with appendages) But it's biometric & cool this way! Or you can wait for 7 years and we'll release a non-exploding version of the keyless-entry system.

***************************************

OK... Maybe I'm going a bit extreme, but WTH?! Am I the only one who is interpreting this, this way? Really? When has releasing a solution to a problem 7 years later ever been acceptable?

Jus' sayin' ...

</RANT>

Aras 'Russ' Memisyazici
Systems Administrator
Virginia Tech
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ