lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <E1DASdT-0007F5-00.phased-mail-ru@f39.mail.ru>
From: phased at mail.ru (phased)
Subject: Reuters: Microsoft to give holes info to
	UncleSam first - responsible vendor notification may not be a
	goodidea any more...


-----Original Message-----
From: Scott Edwards <supadupa@...il.com>
To: 
Date: Sat, 12 Mar 2005 22:45:39 -0700
Subject: Re: [Full-disclosure] Reuters: Microsoft to give holes info to UncleSam first - responsible vendor notification may not be a goodidea any more...

> 
> On Sat, 12 Mar 2005 13:41:26 +0100, Tamas Feher <etomcat@...email.hu> wrote:
> > http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=7
> > 876004&src=rss/technologyNews
> > 
> > Microsoft to Offer Patches to U.S. Govt. First
> > by Reuters, 11 Mar 2005
> [snip]
> > Under a plan to take effect later this year, Microsoft will give the
> > U.S. Air Force versions of software "patches" to fix serious security
> > vulnerabilities up to a month before they are available to others,
> > the paper said.
> [snip]
> 
> Isn't the real issue we're trying to address, is that the US Govt's
> advance knowledge of this information, does not serve the masses?
> 
> My strongest opinion is to provide it for everyone at the same time. 
> This advance notice has some indication that someone does not have the
> (wo)man power and action plan on how to handle these updates.  Seems
> like what ever reason they have, is a complete cop-out (Feel free to
> enlighten me Uncle Sam, I honor thee, but why are thou so special?). 
> Two words for Uncle Sam. "Cowboy up!".  Sure MSFT says the updates
> will only be stalled to the public, "up to a month", but that could be
> any amount of time.
> 
> And this whole nonsense of "black hats only find these holes from
> updates" is just that, nonsense.  How many times have we seen a
> website turn a browser into a mushroom cloud?  I mean, we've NEVER
> seen a program crash by visiting websites, right? Reproduce that, and
> you've got yourself the makings of an exploit.  What if the next
> discovered hole is a worm writer?  (I'm not meaning to suggest that
> internet/www are not the only "critical updates" of concern in this
> topic, but it's the easiest to illustrate)
> 
> Thank you,
> 
> 
> Scott Edwards
> -- 
> Daxal Communications - http://www.daxal.com
> Surf the USA - http://www.surfthe.us
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://www.secunia.com/
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ