Re: The lack of hard questions

[dan () geer org]

Mike Reavey writes:
-+-----------------
 | Hey folks - we're here, watching this thread.  Send us your
 | questions, either directly to msrcteam () microsoft com or to the
 | list.  We'll answer them here:blogs.technet.com/ecostrat in a
 | future post.


One question I've always wanted to know is
based on partial knowledge on my part.

As I recall the story -- and this is subject
to correction -- back when one CD's worth of
Windows source was posted on the Internet
new exploits began appearing in perhaps a
fortnight.  That was interesting inasmuch as
it proved that amateurs could do it via source
analysis and, which is more, this is about the
time when MSFT began providing source to a
number of governments as part of the monopoly
defense -- including countries had (have)
competent national laboratories, e.g., Russia.

So my questions: what sort of vulns do you get
back from foreign governments and, assuming
that they don't share except with you, how
often are what those governments discover
previously unknown, how often are the vulns
that are discovered discovered independently,
and do you ever see exploits of vulns that
have only been identified by governments
(and do those exploits correlate with the
nature of who is doing the discovering)?

A white paper on your efforts to avoid being
a vector of cyber warfare would serve, should
one be handy.

In respect,

--dan

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave