| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: phased at mail.ru (phased) Subject: Reuters: Microsoft to give holes info to UncleSam first - responsible vendor notification may not be a goodidea any more... -----Original Message----- From: Scott Edwards <supadupa@...il.com> To: Date: Sat, 12 Mar 2005 22:45:39 -0700 Subject: Re: [Full-disclosure] Reuters: Microsoft to give holes info to UncleSam first - responsible vendor notification may not be a goodidea any more... > > On Sat, 12 Mar 2005 13:41:26 +0100, Tamas Feher <etomcat@...email.hu> wrote: > > http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=7 > > 876004&src=rss/technologyNews > > > > Microsoft to Offer Patches to U.S. Govt. First > > by Reuters, 11 Mar 2005 > [snip] > > Under a plan to take effect later this year, Microsoft will give the > > U.S. Air Force versions of software "patches" to fix serious security > > vulnerabilities up to a month before they are available to others, > > the paper said. > [snip] > > Isn't the real issue we're trying to address, is that the US Govt's > advance knowledge of this information, does not serve the masses? > > My strongest opinion is to provide it for everyone at the same time. > This advance notice has some indication that someone does not have the > (wo)man power and action plan on how to handle these updates. Seems > like what ever reason they have, is a complete cop-out (Feel free to > enlighten me Uncle Sam, I honor thee, but why are thou so special?). > Two words for Uncle Sam. "Cowboy up!". Sure MSFT says the updates > will only be stalled to the public, "up to a month", but that could be > any amount of time. > > And this whole nonsense of "black hats only find these holes from > updates" is just that, nonsense. How many times have we seen a > website turn a browser into a mushroom cloud? I mean, we've NEVER > seen a program crash by visiting websites, right? Reproduce that, and > you've got yourself the makings of an exploit. What if the next > discovered hole is a worm writer? (I'm not meaning to suggest that > internet/www are not the only "critical updates" of concern in this > topic, but it's the easiest to illustrate) > > Thank you, > > > Scott Edwards > -- > Daxal Communications - http://www.daxal.com > Surf the USA - http://www.surfthe.us > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://www.secunia.com/ >
Powered by blists - more mailing lists