Full Disclosure mailing list archives

Re: Microsoft Cries Wolf ( again )

From: Andrew Griffiths <andrewg () d2 net au>
Date: Mon, 30 Jun 2003 18:24:07 +1000

Thilo Schulz wrote:

On Tuesday 01 July 2003 00:58, mattmurphy () kc rr com wrote:
The ZDNet article hit the point right on the head.  It is irresponsible to
leave the vendor uninformed before going public.  Doing that helps
absolutely nobody.  If you're going to take the interpretation of full
disclosure literally, notification of the vendor and the public is
simultaneous.  There will be radicals who say that notifying none is what
should have happened here -- and even that policy is better than blindly
rifling off details of a remotely exploitable buffer overflow to every
kiddie in the world without a workaround of any kind.  The
poorly-structured original post didn't even make the faulty code clear.
While I agree, that you should at least provide some kind of workaround, Istrongly disagree with criminalizing anyone who stands for full disclosure.
I, as user and administrator, personally would rather have someone disclose avulnerability prematurely with a workaround that I can use than someone beingquiet while piling up a huge dDoS host collection / passing his t00lz aroundin the blackhat community. Not everyone is as good a person as microsoftwants to have them - and frankly - if I discovered a bug I would not do"cooperation" that stretches endlessly over weeks and eventually after half ayear the hole is patched.In fact they should be grateful for everyone who does not hold backinformation about bugs in their software.

While people may not be what Microsoft, Microsoft's security handling isnot good enough for some people.


[snip]

I do not understand why things like support for this can be turned on bydefault. The result of this lax security policy could be seen in recentworms. And this is what really makes me sick: Trustworthy Computing Campain,but when it really comes down to the dirty work of patching they moan abouteveryone who does not follow their strict guidelines on reportingvulnerabilities.
 - Thilo Schulz

Indeed. Also, making people, (by the usage of the term) think it istrustable, they are more likely to do ecommerce/feel safe doing onlinestuff.


Sincerely,
Andrew Griffiths

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Microsoft Cries Wolf ( again ) Peter van den Heuvel (Jul 01)
- <Possible follow-ups>
- Re: Microsoft Cries Wolf ( again ) Thilo Schulz (Jul 01)
  - Re: Microsoft Cries Wolf ( again ) Andrew Griffiths (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Georgi Guninski (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Schmehl, Paul L (Jul 01)
  - Re: Microsoft Cries Wolf ( again ) KF (Jul 01)
    - Re: Microsoft Cries Wolf ( again ) ATD (Jul 01)
    - Re: Microsoft Cries Wolf ( again ) madsaxon (Jul 01)
  - RE: Microsoft Cries Wolf ( again ) Richard M. Smith (Jul 01)
    - RE: Microsoft Cries Wolf ( again ) Mike Fratto (Jul 01)
    - RE: Microsoft Cries Wolf ( again ) Cesar (Jul 01)
    - Re: Microsoft Cries Wolf ( again ) Brett Hutley (Jul 02)
  - Re: Microsoft Cries Wolf ( again ) Peter van den Heuvel (Jul 01)

(Thread continues...)