[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3EFFF3A7.9000405@d2.net.au>
From: andrewg at d2.net.au (Andrew Griffiths)
Subject: Microsoft Cries Wolf ( again )
Thilo Schulz wrote:
> On Tuesday 01 July 2003 00:58, mattmurphy@...rr.com wrote:
>
>>The ZDNet article hit the point right on the head. It is irresponsible to
>>leave the vendor uninformed before going public. Doing that helps
>>absolutely nobody. If you're going to take the interpretation of full
>>disclosure literally, notification of the vendor and the public is
>>simultaneous. There will be radicals who say that notifying none is what
>>should have happened here -- and even that policy is better than blindly
>>rifling off details of a remotely exploitable buffer overflow to every
>>kiddie in the world without a workaround of any kind. The
>>poorly-structured original post didn't even make the faulty code clear.
>
>
> While I agree, that you should at least provide some kind of workaround, I
> strongly disagree with criminalizing anyone who stands for full disclosure.
>
> I, as user and administrator, personally would rather have someone disclose a
> vulnerability prematurely with a workaround that I can use than someone being
> quiet while piling up a huge dDoS host collection / passing his t00lz around
> in the blackhat community. Not everyone is as good a person as microsoft
> wants to have them - and frankly - if I discovered a bug I would not do
> "cooperation" that stretches endlessly over weeks and eventually after half a
> year the hole is patched.
> In fact they should be grateful for everyone who does not hold back
> information about bugs in their software.
>
While people may not be what Microsoft, Microsoft's security handling is
not good enough for some people.
[snip]
>
> I do not understand why things like support for this can be turned on by
> default. The result of this lax security policy could be seen in recent
> worms. And this is what really makes me sick: Trustworthy Computing Campain,
> but when it really comes down to the dirty work of patching they moan about
> everyone who does not follow their strict guidelines on reporting
> vulnerabilities.
>
> - Thilo Schulz
Indeed. Also, making people, (by the usage of the term) think it is
trustable, they are more likely to do ecommerce/feel safe doing online
stuff.
Sincerely,
Andrew Griffiths
Powered by blists - more mailing lists