Re: Microsoft Cries Wolf ( again )

[KF <dotslash () snosoft com>]

> The solution to this problem lies in the hands of the vendors, *not* in the hands of the researchers.
*This is no lie... after a while one (researchers) simply gets tired of 
bending over backwards
to get the vendor to listen. You get to a point where you simply don't 
care sometimes...*
vendors are frustrating... they first act like they can't talk to you 
unless you are
paying for support... then the don't understand what it is you are 
trying to say...
then they claim that oh thats not a business critical issue we are gonna 
sit on our
rump for 6 months and then maybe we will fix it.... IF you even make it 
to that
point...

For examle I am waiting on a certain 3 letter company to get back to me 
on a local root
exploit... I used their web based email form which claims a 24 hour 
response time... its
now 5 days later and no response... that failed so I start the usual 
blind emails to security@
support@ somebodyfirggenhelpme@ and no one responds... so then I call 
their phone and
go through every friggin option in their PBX system.. still can't find 
someone to help out...

"... security staff... what do you mean... I have never had someone ask 
something like that"
me: you know... like I have a security issue with your product... you 
need to fix it...
"thats interesting... I'll have to see what I can find... we never get 
calls like this"
me: *sigh*

I have done my due dilligence... here in about 1 day the problem is 100% 
theirs... I will give
the public the old chomd -s reccomendation and be done with it...

Someone in the .gov get us a vendor responsibility bill or something...
-KF



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html