Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more...

From: Valdis.Kletnieks () vt edu
Date: Sat, 12 Mar 2005 12:55:17 -0500
On Sat, 12 Mar 2005 11:15:22 CST, "J.A. Terranson" said:


This "story" really just reflects what has been going on in the real world
for some time now.

Microsoft, Cisco, Juniper, etc., all have both vested interests and public
policy interests in notifying those who would be most affected first.
This is good public policy as well: if the national infrastructure is
compromised, we are all up shit's creek, if Joe's Corner Store is
compromised, only Joe and possibly Joe's small geographic user base is
hosed.

Decrying this shows you have not thought the problem through Tamas.


Ahh, but remember - the Microsoft party line is that there's no 0-day exploits,
and exploits come from black hats who reverse-engineer the patches.

http://news.bbc.co.uk/1/hi/technology/3485972.stm

So if we follow the esteemed Mr Aucsmith's logic(*) through, they're making things
*less* secure by giving the patch to government, because it *will* leak out and
thus create 0-days for the black hats to use against the *rest* of us...

"We have never had vulnerabilities exploited before the patch was known".

So the government wasn't vulnerable before they shipped the patch, and Joe's
Corner Store wasn't either - but once they ship something to the govt, then
the corner store *does* have to worry.

Except they have no way to even *know* that they need to worry now, because
they don't know the patch has shipped.

This is one of these things where thinking the problem through just ends up
proving that it's even harder than it looks the first time around....

(*) Note that even though the logic is a total crock, because 0-days *do*
exist, the early secret shipping of a patch is a destabilizing act.  You can't
ship a patch to something the size of the US government and have it stay
*totally* secret - and once the black hats know that a patch *is* in the
pipeline, they know how much longer their 0-day will still be useful.  So
suddenly there's a "use it before you lose it" pressure, and Joe's Corner Store
may find itself targeted for an attack it would not have otherwise gotten....

Attachment: _bin
Description: 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: