lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: petard at freeshell.org (petard)
Subject: Re: Internet Explorer URL parsing vulnerability

On Wed, Dec 10, 2003 at 12:07:21PM -0800, Daniel H. Renner wrote:
> They simply don't want it fixed.  We can guess why, but they know why -
> and they aren't telling.  Not a good sign...

You don't have to make it sound like a consipracy. It isn't. Here's why,
and it's perfectly obvious. Corporations are in the business of
maximizing profits. Contrary to what some might think, this does not
mean releasing perfect products. It means balancing customer demand (the
amount of money to be made) against the cost of fulfilling that demand
to varying degrees and delivering. If a corporation's paying customers
do not demand that flaws be fixed, or if they gain more paying customers
by adding new features than they do by fixing flaws things go unfixed.

So the answer is not "They simply don't want it fixed." The answer is
"It is more profitable not to fix all the flaws than it is to fix them."
Microsoft estimates that they lose more money by spending it to fix some
problems than from people choosing alternative products as a result of
those problems. So if you want them to fix it, the way to get them to do
so is to vote, en masse, with your dollars. They will then lose more $$
from not fixing these problems than they will spend to fix them.

It is immaterial whether they "want" to fix them. They are not in the
business of doing what they want but what is profitable. Make it
unprofitable to ship a broken product, and that will change.

One of the ways to make it unprofitable to ship a broken product is to
post flaws like this in public places. In fact, it's one of the most
effective ways. Telling them quietly without notifying the public does
not accomplish that.

Regards,

petard

-- 
If your message really might be confidential, download my PGP key here:
http://petard.freeshell.org/petard.asc
and encrypt it. Otherwise, save bandwidth and lose the disclaimer.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ