lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3EFFF3A7.9000405@d2.net.au>
From: andrewg at d2.net.au (Andrew Griffiths)
Subject: Microsoft Cries Wolf ( again )

Thilo Schulz wrote:
> On Tuesday 01 July 2003 00:58, mattmurphy@...rr.com wrote:
> 
>>The ZDNet article hit the point right on the head.  It is irresponsible to
>>leave the vendor uninformed before going public.  Doing that helps
>>absolutely nobody.  If you're going to take the interpretation of full
>>disclosure literally, notification of the vendor and the public is
>>simultaneous.  There will be radicals who say that notifying none is what
>>should have happened here -- and even that policy is better than blindly
>>rifling off details of a remotely exploitable buffer overflow to every
>>kiddie in the world without a workaround of any kind.  The
>>poorly-structured original post didn't even make the faulty code clear.
> 
> 
> While I agree, that you should at least provide some kind of workaround, I 
> strongly disagree with criminalizing anyone who stands for full disclosure.
> 
> I, as user and administrator, personally would rather have someone disclose a 
> vulnerability prematurely with a workaround that I can use than someone being 
> quiet while piling up a huge dDoS host collection / passing his t00lz around 
> in the blackhat community. Not everyone is as good a person as microsoft 
> wants to have them - and frankly - if I discovered a bug I would not do 
> "cooperation" that stretches endlessly over weeks and eventually after half a 
> year the hole is patched.
> In fact they should be grateful for everyone who does not hold back 
> information about bugs in their software.
> 

While people may not be what Microsoft, Microsoft's security handling is 
not good enough for some people.

[snip]

> 
> I do not understand why things like support for this can be turned on by 
> default. The result of this lax security policy could be seen in recent 
> worms. And this is what really makes me sick: Trustworthy Computing Campain, 
> but when it really comes down to the dirty work of patching they moan about 
> everyone who does not follow their strict guidelines on reporting 
> vulnerabilities.
> 
>  - Thilo Schulz

Indeed. Also, making people, (by the usage of the term) think it is 
trustable, they are more likely to do ecommerce/feel safe doing online 
stuff.

Sincerely,
Andrew Griffiths

Powered by blists - more mailing lists