lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: supadupa at gmail.com (Scott Edwards)
Subject: Reuters: Microsoft to give holes info to Uncle
	Sam first - responsible vendor notification may not be a good
	idea any more...

On Sat, 12 Mar 2005 13:41:26 +0100, Tamas Feher <etomcat@...email.hu> wrote:
> http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=7
> 876004&src=rss/technologyNews
> 
> Microsoft to Offer Patches to U.S. Govt. First
> by Reuters, 11 Mar 2005
[snip]
> Under a plan to take effect later this year, Microsoft will give the
> U.S. Air Force versions of software "patches" to fix serious security
> vulnerabilities up to a month before they are available to others,
> the paper said.
[snip]

Isn't the real issue we're trying to address, is that the US Govt's
advance knowledge of this information, does not serve the masses?

My strongest opinion is to provide it for everyone at the same time. 
This advance notice has some indication that someone does not have the
(wo)man power and action plan on how to handle these updates.  Seems
like what ever reason they have, is a complete cop-out (Feel free to
enlighten me Uncle Sam, I honor thee, but why are thou so special?). 
Two words for Uncle Sam. "Cowboy up!".  Sure MSFT says the updates
will only be stalled to the public, "up to a month", but that could be
any amount of time.

And this whole nonsense of "black hats only find these holes from
updates" is just that, nonsense.  How many times have we seen a
website turn a browser into a mushroom cloud?  I mean, we've NEVER
seen a program crash by visiting websites, right? Reproduce that, and
you've got yourself the makings of an exploit.  What if the next
discovered hole is a worm writer?  (I'm not meaning to suggest that
internet/www are not the only "critical updates" of concern in this
topic, but it's the easiest to illustrate)

Thank you,


Scott Edwards
-- 
Daxal Communications - http://www.daxal.com
Surf the USA - http://www.surfthe.us

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ