lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20050312152824.S1945@ubzr.zsa.bet>
From: measl at mfn.org (J.A. Terranson)
Subject: Reuters: Microsoft to give holes info to
	UncleSam first - responsible vendor notification may not be a good idea
	anymore...


On Sat, 12 Mar 2005, joe wrote:

> I didn't see Tamas' original note but this program isn't an early patch
> release program. It is a program for beta testing patches just like the
> other beta's MS and other companies do. It is simply locked down
> considerably more due to the possible issues surrounding it. The patches
> could definitely change prior to actual public launch.

Nevertheless, you and I both know that this program will be used as an
early patch release program, and will in fact serve as such once the
soon-to-be-released patches are finalized on these preliminary machines.


> As such, the patches aren't intended to be loaded on production equipment

HahahahAHAHAHahahhaAAhhAahahaha!!!!  Microsoft?  Not intended for
production machines???

ROFL!

> and in fact it is explicitely stated to not load it in production if I
> recall corrrectly. The intent is for external customer test labbing to find
> the most egregious issues and functionality breaks they may cause so it
> doesn't impact the user community at large. The folks brought into the beta
> are the ones most likely to test the patches on a wide variety of scenarios.

As someone who has seen this program from the inside, I am here to tell
you you are WRONG.  That' spelled W-R-O-N-G, just in case you were not
sure.

These programs MAY have as input large "shops" which can help test, but it
also includes "priority" customers (Govt, the critical 8 in
infrastructure, etc.), most of whom will *never* provide any feedback data
to the patch supplier.

> Unlike many of the other betas, you have an actual testing and feedback
> requirement and have to agree to that requirement before being allowed in.

Then we are talking about different programs.  There ARE early release
programs, and this reads as one.

> I
> previously was a consultant at a large company that was asked if they wanted
> to be in this program and we declined because we couldn't handle the
> additional workload that it required as a participant. We just didn't have
> the resources available.

OK, lets assume that this is a different program.  I stand by my assertion
that an early patch release program that caters solely to government and
the critical 8 is good public policy (and currently implemented).

> Here is a link that maybe makes the test nature a little more clear
>
> http://www.internetnews.com/security/article.php/3489586



-- 
Yours,

J.A. Terranson
sysadmin@....org
0xBD4A95BF

"Quadriplegics think before they write stupid pointless
shit...because they have to type everything with their noses."

	http://www.tshirthell.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ