industry standards - current status [was: what we REALLY learned from WMF]

[Gadi Evron <ge () linuxbox org>]

Comments and text below the quoted text.

> mis-information.  I believe even *you* posted erroneous information.  Nice.

#1.

> First everyone bitches about how bad Microsoft security is, how they 
> don't "get it" and how they don't care.  Then, when they issue a patch 
> out-of-cycle, we hear pompous comments like "See!  I told you so!  They 
> can do it if they want to, so they should do EVERYTHING like this!!"   
> They handled it the right way, and still, they get criticism.  Great.

#2.

> Oh, that's rich.  Let's see-- wasn't it YOU that said to Dave Litchfield 
> regarding Oracle:

> So, it's OK for Oracle to have the worst security (both in product and 
> in attitude) of any vendor on the face of the planet,  and to take the 
> "Oh, let's not pick on them by singling them out" mindset, but now you 
> are DEMANDING that every patch be treated like the WMF patch just 
> because YOU said so??  Why are you singling out Microsoft here?

#3.

> What about WINE?  Where is your DEMAND that THEY patch immediately?  
> Where is the patch, anyway?  Oh, there isn't one yet.  Shouldn't you be 
> ripping them a new one?  After all, WINE is still vulnerable to the WMF 
> exploit.

#4.

> Oh, I totally get your drift.  You are biased, and speak with a forked 
> tongue.

#5.

> t

5 points in this post, all directed as a personal attack. I learned to 
only answer one out of every flame-baits, so I will concentrate on the 
ideas behind the post instead.

Microsoft did nothing wrong, in fact, they did great. Microsoft is an 
easy choice in this case because even though each case varies, they 
showed a capability here to deal with issues much faster than usual.

Now, the point I am trying to make is not MS-specific, but rather about 
our standards in the industry.

As an example, take false positives. A HUGE problem I[DP]S experts try 
and deal with every day, invest a lot of time in, and yet can't solve... 
therefore we got used in the industry to a level of false positives.

Same goes to vulnerability scanners.. false positives appear as a way of 
nature.

And yet, some vendors are different than others. In I[DP]S as well as 
vulnerability scanning. With some vendors, they invest less in features 
and more in eliminating false positives. They treat them as full-blown 
bugs rather than "something to live with". It works -- at least better 
than with others.

Same goes as to patches.

In the Oracle case I was in complete agreement with Dave, but my opinion 
was that the medium was wrong, and in some cases - the medium is the 
message. That's something we'd have to disagree on.

In this case though, it is once again about standards. Microsoft shows 
Oracle is not alone, although they achieved amazing progress, especially 
in the last couple of years.

If a patch can be put through full testing and released within days when 
it is taken seriously enough and resources are invested - no matter for 
what reason, I see no reason myself that this can't become common practice.

We should be practical in our demands, but if in practice this can be 
done in days, surely vendors can step it up a notch on critical issues.
Microsoft runs on most of the computers on this planet, therefore they 
are to be treated different for better and for worse. A year+ of waiting 
for a patch while people might be exploited is unacceptable according to 
standards we should be upholding now that we know what is possible.

We are like a toad. Throw us into boiling water and we would jump right 
out, screaming. Slowly raise the temperature of the water and we might 
not even notice it.

Then suddenly.. we see bright light, and that is that standards in the 
industry are too low. That is my opinion -- I may be wrong, but if you 
wish to dispute it, I suggest you at least try rather than baiting for a 
flame war.
:)

Happy new year,

        Gadi.