lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: devdas at dvb.homelinux.org (Devdas Bhagat)
Subject: Reuters: Microsoft to give holes info to Uncle
	Sam first - responsible vendor notification may not be a good
	idea any more...

On 12/03/05 11:15 -0600, J.A. Terranson wrote:
> 
> This "story" really just reflects what has been going on in the real world
> for some time now.
> 
> Microsoft, Cisco, Juniper, etc., all have both vested interests and public
> policy interests in notifying those who would be most affected first.

Which public? Are you a member of the public? Am I?

> This is good public policy as well: if the national infrastructure is
> compromised, we are all up shit's creek, if Joe's Corner Store is

Which nation? From my PoV, it is the general user who needs to be
informed first. A whole bunch of us have more problems with Windows
holes even though we do not use Windows, simply because of the traffic
volume generated.
Perhaps you would have liked the slamer or blaster patches released to
the US government first, and only then to the general public?

> compromised, only Joe and possibly Joe's small geographic user base is
> hosed.

Unless there are a very large number of Joe's affected.

> Decrying this shows you have not thought the problem through Tamas.

I can support Cisco not publicly announcing a hole until the network
backbone is upgraded (I don't have to like it, but I will support it
because it makes sense to protect critical infrastructure from a DoS
attack first.) [1].

I can not support Microsoft doing the same thing, because the problem is
at the edge of the network, and it affects _others_ who should not be
affected by it. 

Devdas Bhagat

[1] If it was a mere DoS, sure, notify your larger customers first. 
If it is not a DoS, but an exploit which allows for outsider control,
then selective notification is irresponsible.
(The Cisco statement is wrt the recent DoS stuff when Cisco
notified the backbone operators before the offical advisory).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ