[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <A17F658CFEC3344B8F9BCAD952926D9E8D5666@MAIL002.prod.ds.russell.com>
Date: Mon, 18 Jul 2005 08:55:56 -0700
From: <aaron_kempf@...mail.com>
To: "'security curmudgeon'" <jericho@...rition.org>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: RE: RE: Why Vulnerability Databases can't do
everything
I didn't know this. Thank you for this information.
I just don't mean for VULNS. I mean for BUGS.
Like when you import stuff from Access.. You try to import a spreadsheet AND
IT DOESN'T FRIGGIN WORK.
Microsoft should be held financially liable for wasting my time and making
me try to use a workaround.
Microsoft should wake up to the idea that they CAN start making quality
software; but they purposefully keep buggy software and they just try to
sell you an upgrade.
Well, Microsoft-- these upgrades are just as buggy as the original.. SO
START FIXING THEM.
When you do something in Excel 10 times a day; and it crashes excel every
other time you do it-- that is a bug that Microsoft needs to fix.
It is JUST AS IMPORTANT as a security hole.
But somehow MS is on crack and doesn't care.
Microsoft isn't responsible enough to tie their own shoes; and I would like
a centralized location where I can report BUGS and then someone else will
convince M$ to spend their precious dollars on fixing their software.
I disagree with the premise that software can't be bug free.
Software CAN be bug free-- especially when you have $60bn in cash.
-Aaron
-----Original Message-----
From: security curmudgeon [mailto:jericho@...rition.org]
Sent: Saturday, July 16, 2005 4:32 PM
To: aaron_kempf@...mail.com
Cc: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] RE: Why Vulnerability Databases can't do
everything
: So I think that there should be a government agency that coordinates
: this shit
: I call for federal government intervention. Microsoft has abused all of
: us for the last time. I have a list of a dozen bugs in Microsoft Access;
: and I know of one bug in SQL Server that those cornholers just wont fix.
: I mean-- SQL AUTHENTICATION IS IMPOSSIBLE TO SECURE. RIGHT?
This is good in theory, bad in practice (historically). Consider that we
already have government coordination for vulnerabilities. In fact, did you
know we have it half a dozen times over?
CERT
The CERT/CC is funded primarily by the U.S. Department of Defense and the
Department of Homeland Security, along with a number of other federal
civil agencies. Other funding comes from the private sector. As part of
the Software Engineering Institute, we receive some funds from the primary
sponsor of the SEI, the Office of the Under Secretary of Defense for
Acquisition and Technology.
CIAC
U.S. Department of Energy (DOE) funded
CVE
CVE is sponsored by the National Cyber Security Division (NCSD) at the
U.S. Department of Homeland Security. US-CERT is the operational arm of
the NCSD.
ICAT
ICAT is maintained by the National Institute of Standards and Technology.
US-CERT
US-CERT is part of the Department of Homeland Security
Little overlap? You bet there is. DHS is spending money on two of the five
listed above, which are just the biggest and most well known. There are
other incident response teams for other government agencies, some of which
maintain their own vulnerability databases.
Consolidation? Has there been any effort made to consolidate these? Not
that I have heard of, but there might have been (and it got nowhere).
So the U.S. government clearly sees a need for this type of activity, it's
just that it has not been implemented that well and there has been
relatively little coordination between the agencies and sources of
funding. Imagine one database being funded by and worked on all of the
people/agencies above.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists