lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <3EFFF3A7.9000405@d2.net.au> From: andrewg at d2.net.au (Andrew Griffiths) Subject: Microsoft Cries Wolf ( again ) Thilo Schulz wrote: > On Tuesday 01 July 2003 00:58, mattmurphy@...rr.com wrote: > >>The ZDNet article hit the point right on the head. It is irresponsible to >>leave the vendor uninformed before going public. Doing that helps >>absolutely nobody. If you're going to take the interpretation of full >>disclosure literally, notification of the vendor and the public is >>simultaneous. There will be radicals who say that notifying none is what >>should have happened here -- and even that policy is better than blindly >>rifling off details of a remotely exploitable buffer overflow to every >>kiddie in the world without a workaround of any kind. The >>poorly-structured original post didn't even make the faulty code clear. > > > While I agree, that you should at least provide some kind of workaround, I > strongly disagree with criminalizing anyone who stands for full disclosure. > > I, as user and administrator, personally would rather have someone disclose a > vulnerability prematurely with a workaround that I can use than someone being > quiet while piling up a huge dDoS host collection / passing his t00lz around > in the blackhat community. Not everyone is as good a person as microsoft > wants to have them - and frankly - if I discovered a bug I would not do > "cooperation" that stretches endlessly over weeks and eventually after half a > year the hole is patched. > In fact they should be grateful for everyone who does not hold back > information about bugs in their software. > While people may not be what Microsoft, Microsoft's security handling is not good enough for some people. [snip] > > I do not understand why things like support for this can be turned on by > default. The result of this lax security policy could be seen in recent > worms. And this is what really makes me sick: Trustworthy Computing Campain, > but when it really comes down to the dirty work of patching they moan about > everyone who does not follow their strict guidelines on reporting > vulnerabilities. > > - Thilo Schulz Indeed. Also, making people, (by the usage of the term) think it is trustable, they are more likely to do ecommerce/feel safe doing online stuff. Sincerely, Andrew Griffiths
Powered by blists - more mailing lists