[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200503121755.j2CHtHHs017514@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Reuters: Microsoft to give holes info to Uncle
Sam first - responsible vendor notification may not be a good
idea any more...
On Sat, 12 Mar 2005 11:15:22 CST, "J.A. Terranson" said:
>
> This "story" really just reflects what has been going on in the real world
> for some time now.
>
> Microsoft, Cisco, Juniper, etc., all have both vested interests and public
> policy interests in notifying those who would be most affected first.
> This is good public policy as well: if the national infrastructure is
> compromised, we are all up shit's creek, if Joe's Corner Store is
> compromised, only Joe and possibly Joe's small geographic user base is
> hosed.
>
> Decrying this shows you have not thought the problem through Tamas.
Ahh, but remember - the Microsoft party line is that there's no 0-day exploits,
and exploits come from black hats who reverse-engineer the patches.
http://news.bbc.co.uk/1/hi/technology/3485972.stm
So if we follow the esteemed Mr Aucsmith's logic(*) through, they're making things
*less* secure by giving the patch to government, because it *will* leak out and
thus create 0-days for the black hats to use against the *rest* of us...
"We have never had vulnerabilities exploited before the patch was known".
So the government wasn't vulnerable before they shipped the patch, and Joe's
Corner Store wasn't either - but once they ship something to the govt, then
the corner store *does* have to worry.
Except they have no way to even *know* that they need to worry now, because
they don't know the patch has shipped.
This is one of these things where thinking the problem through just ends up
proving that it's even harder than it looks the first time around....
(*) Note that even though the logic is a total crock, because 0-days *do*
exist, the early secret shipping of a patch is a destabilizing act. You can't
ship a patch to something the size of the US government and have it stay
*totally* secret - and once the black hats know that a patch *is* in the
pipeline, they know how much longer their 0-day will still be useful. So
suddenly there's a "use it before you lose it" pressure, and Joe's Corner Store
may find itself targeted for an attack it would not have otherwise gotten....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050312/bc9139ba/attachment.bin
Powered by blists - more mailing lists