lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 5 Jan 2006 21:33:12 -0800
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: <bugtraq@...urityfocus.com>
Subject: Re: what we REALLY learned from WMF


> What we really learn from this all WMF "thingie", is that when Microsoft 
> wants to, it can.
>
> Microsoft released the WMF patch ahead of schedule
> ( http://blogs.securiteam.com/index.php/archives/181 )
>
> Yep, THEY released the PATCH ahead of schedule.
>
> What does that teach us?

"We?"  "Us?"  Just who are you referring to?  A vulnerability was 
discovered, they researched it, created and tested a patch (like they always 
do) and issued it.  Done.  Move on, please.  There is nothing to learn here, 
other than the fact that everyone and their brother came out of the woodwork 
saying that the world was going to end and spreading mis-information.  I 
believe even *you* posted erroneous information.  Nice.

First everyone bitches about how bad Microsoft security is, how they don't 
"get it" and how they don't care.  Then, when they issue a patch 
out-of-cycle, we hear pompous comments like "See!  I told you so!  They can 
do it if they want to, so they should do EVERYTHING like this!!"   They 
handled it the right way, and still, they get criticism.  Great.

> Maybe it’s just that we are used to sluggishness. Perhaps it is time we, 
> as users and clients, started DEMANDING of Microsoft to push things up a 
> notch.

Oh, that's rich.  Let's see-- wasn't it YOU that said to Dave Litchfield 
regarding Oracle:

<snip>
> That is your choice.. although I personally believe you are being very
> extreme in your take on how alone Oracle is.
>
> It's not that I disagree with their behavior being questionable, I
> honestly believe a survey of how all vendors do where the s**t floats to
> the top without singling out the Bad but rather the Good, would work
> better.
</snip>

So, it's OK for Oracle to have the worst security (both in product and in 
attitude) of any vendor on the face of the planet,  and to take the "Oh, 
let's not pick on them by singling them out" mindset, but now you are 
DEMANDING that every patch be treated like the WMF patch just because YOU 
said so??  Why are you singling out Microsoft here?

What about WINE?  Where is your DEMAND that THEY patch immediately?  Where 
is the patch, anyway?  Oh, there isn't one yet.  Shouldn't you be ripping 
them a new one?  After all, WINE is still vulnerable to the WMF exploit.

> Put in the necessary resources, and release patches within days of first 
> discovery. I’m willing to live with weeks and months in comparison to the 
> year+ that we have seen sometimes. Naturally some problems take longer to 
> fix, but you get my drift.

Oh, I totally get your drift.  You are biased, and speak with a forked 
tongue.

t

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ