| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... On Sat, 12 Mar 2005 11:15:22 CST, "J.A. Terranson" said: > > This "story" really just reflects what has been going on in the real world > for some time now. > > Microsoft, Cisco, Juniper, etc., all have both vested interests and public > policy interests in notifying those who would be most affected first. > This is good public policy as well: if the national infrastructure is > compromised, we are all up shit's creek, if Joe's Corner Store is > compromised, only Joe and possibly Joe's small geographic user base is > hosed. > > Decrying this shows you have not thought the problem through Tamas. Ahh, but remember - the Microsoft party line is that there's no 0-day exploits, and exploits come from black hats who reverse-engineer the patches. http://news.bbc.co.uk/1/hi/technology/3485972.stm So if we follow the esteemed Mr Aucsmith's logic(*) through, they're making things *less* secure by giving the patch to government, because it *will* leak out and thus create 0-days for the black hats to use against the *rest* of us... "We have never had vulnerabilities exploited before the patch was known". So the government wasn't vulnerable before they shipped the patch, and Joe's Corner Store wasn't either - but once they ship something to the govt, then the corner store *does* have to worry. Except they have no way to even *know* that they need to worry now, because they don't know the patch has shipped. This is one of these things where thinking the problem through just ends up proving that it's even harder than it looks the first time around.... (*) Note that even though the logic is a total crock, because 0-days *do* exist, the early secret shipping of a patch is a destabilizing act. You can't ship a patch to something the size of the US government and have it stay *totally* secret - and once the black hats know that a patch *is* in the pipeline, they know how much longer their 0-day will still be useful. So suddenly there's a "use it before you lose it" pressure, and Joe's Corner Store may find itself targeted for an attack it would not have otherwise gotten.... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050312/bc9139ba/attachment.bin
Powered by blists - more mailing lists