Re: Re: Extreme Hacking

["MI DC" <midc () canoemail com>]

crowland () psionic com wrote:

> From outside appearances it would seem that the time period for this
> particular exploit was too short. Consider that MS must:
>
> 1) Diagnose and isolate the problem.
> 2) Develop a cross-platform fix.

Cross-platform?  iis runs on nt only.

> 3) Regression test the fix across all platforms and loads.

Microsoft claims to not regression test hotfixes.  And even if they did, "across all platforms" in this case is the one 
platform on which iis runs.

> 4) Package the patch and test across all platforms and loads.

Again, testing is required for only the one platform on which iis runs.

> 5) Repeat steps 3 and 4 in the respective QA lab.

Not to be repetitive, but you were, so, repeat 3 and 4 for the one platform on which iis runs.

> 6) Distribute the patch and send warning.
>
> Not being privy to MS development cycle myself, I can only speculate. I
> would suspect that the above is a fair assessment however. Don't forget
> the fact that they have over one million servers out there. It's not
> a matter of hacking in a fix and sending it out. If it breaks
> customers they are going to be plenty upset, it's basically a lose-lose
> situation.

And apache runs on (checking netcraft survey) 3713470 known sites on *multiple* *platforms*, not just on multiple 
variants of unix or multiple types of hardware (in case you are counting nt on intel and nt on alpha as "all 
platforms").  That's 2.5 times the number of iis servers, which run on nt only.  The Apache Group still gets 
cross-platform security fixes out same day.

(Not intending to start a debate on cathedrals and bazaars.)

midc

___________________________________________________________________
Sign up today for your Free E-mail at http://www.canoe.ca/CanoeMail