Full Disclosure mailing list archives
Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more...
From: Valdis.Kletnieks () vt edu
Date: Sat, 12 Mar 2005 12:55:17 -0500
On Sat, 12 Mar 2005 11:15:22 CST, "J.A. Terranson" said:
This "story" really just reflects what has been going on in the real world for some time now. Microsoft, Cisco, Juniper, etc., all have both vested interests and public policy interests in notifying those who would be most affected first. This is good public policy as well: if the national infrastructure is compromised, we are all up shit's creek, if Joe's Corner Store is compromised, only Joe and possibly Joe's small geographic user base is hosed. Decrying this shows you have not thought the problem through Tamas.
Ahh, but remember - the Microsoft party line is that there's no 0-day exploits, and exploits come from black hats who reverse-engineer the patches. http://news.bbc.co.uk/1/hi/technology/3485972.stm So if we follow the esteemed Mr Aucsmith's logic(*) through, they're making things *less* secure by giving the patch to government, because it *will* leak out and thus create 0-days for the black hats to use against the *rest* of us... "We have never had vulnerabilities exploited before the patch was known". So the government wasn't vulnerable before they shipped the patch, and Joe's Corner Store wasn't either - but once they ship something to the govt, then the corner store *does* have to worry. Except they have no way to even *know* that they need to worry now, because they don't know the patch has shipped. This is one of these things where thinking the problem through just ends up proving that it's even harder than it looks the first time around.... (*) Note that even though the logic is a total crock, because 0-days *do* exist, the early secret shipping of a patch is a destabilizing act. You can't ship a patch to something the size of the US government and have it stay *totally* secret - and once the black hats know that a patch *is* in the pipeline, they know how much longer their 0-day will still be useful. So suddenly there's a "use it before you lose it" pressure, and Joe's Corner Store may find itself targeted for an attack it would not have otherwise gotten....
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... Tamas Feher (Mar 12)
- Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... J.A. Terranson (Mar 12)
- Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... Valdis . Kletnieks (Mar 12)
- Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... Devdas Bhagat (Mar 12)
- Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... J.A. Terranson (Mar 12)
- Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... Devdas Bhagat (Mar 12)
- Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... J.A. Terranson (Mar 12)
- Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... Valdis . Kletnieks (Mar 12)
- Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... J.A. Terranson (Mar 12)
- Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... J.A. Terranson (Mar 12)
- Re[2]: Reuters: Microsoft to give holes info to UncleSam first - responsible vendor notification may not be a good idea anymore... phased (Mar 13)
- Re: Reuters: Microsoft to give holes info to UncleSam first - responsible vendor notification may not be a good idea anymore... Vincent Archer (Mar 14)