| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <43BE90B7.31934.5292DF02@nick.virus-l.demon.co.uk> Date: Fri Jan 6 02:46:13 2006 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: what we REALLY learned from WMF Niek wrote: > MS appearantly had the patch read on 28 december 2005. > Suppose they released it 48 hours later, because the flaw is so serious. > Suppose everyone praises MS because they tackled it so quickly. > Suppose the MS patch breaks one of your applications. > Suppose I'd be reading your rant on this list a few days later, > on how MS sucks because they don't take the time to test things properly...... _In this case_ I'd say: Good on Microsoft for actually living up to the so far mainly BS but supposedly official 'security must take precedence over features' company line for several years. and to the hapless -- no, gormless -- developers of whatever third- party app(s) were broken I'd say: Serves you right for using a clearly insecure API, and why are you whining that your customers prefer security to some ill-conceived, security-lowering feature? Retorts along the line: But MS recommended we do it that way. would leave one hoping that their few remaining customers now desert them with all haste as they clearly don't give a rat's a*se about their customers' security so don't deserve to have any customers. Tough? Yes, but not as unacceptable as _expecting_ your customers to badly compromise their security for your convenience. Regards, Nick FitzGerald
Powered by blists - more mailing lists