lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200307011412.18391.arny@ats.s.bawue.de>
From: arny at ats.s.bawue.de (Thilo Schulz)
Subject: Microsoft Cries Wolf ( again )

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 01 July 2003 00:58, mattmurphy@...rr.com wrote:
> The ZDNet article hit the point right on the head.  It is irresponsible to
> leave the vendor uninformed before going public.  Doing that helps
> absolutely nobody.  If you're going to take the interpretation of full
> disclosure literally, notification of the vendor and the public is
> simultaneous.  There will be radicals who say that notifying none is what
> should have happened here -- and even that policy is better than blindly
> rifling off details of a remotely exploitable buffer overflow to every
> kiddie in the world without a workaround of any kind.  The
> poorly-structured original post didn't even make the faulty code clear.

While I agree, that you should at least provide some kind of workaround, I 
strongly disagree with criminalizing anyone who stands for full disclosure.

I, as user and administrator, personally would rather have someone disclose a 
vulnerability prematurely with a workaround that I can use than someone being 
quiet while piling up a huge dDoS host collection / passing his t00lz around 
in the blackhat community. Not everyone is as good a person as microsoft 
wants to have them - and frankly - if I discovered a bug I would not do 
"cooperation" that stretches endlessly over weeks and eventually after half a 
year the hole is patched.
In fact they should be grateful for everyone who does not hold back 
information about bugs in their software.

Quote:
"A bug like this could be triggered via a number of means...through e-mail, 
simply browsing a web page, perhaps browsing a network share," he wrote in an 
e-mail to CNET News.com.

HTML and all the more Java Script simply 
_does_not_have_to_do_anything_at_all_with_emails_

I do not understand why things like support for this can be turned on by 
default. The result of this lax security policy could be seen in recent 
worms. And this is what really makes me sick: Trustworthy Computing Campain, 
but when it really comes down to the dirty work of patching they moan about 
everyone who does not follow their strict guidelines on reporting 
vulnerabilities.

 - Thilo Schulz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/AXqeZx4hBtWQhl4RAp09AJ9oHsRK4pkOC8oX+JChkZ+7Ktrf+ACgiXgT
5UIvmVbSoXVW/l0hNrETJ1M=
=JlEK
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ