Re: Microsoft Cries Wolf ( again )

[ATD <simon () snosoft com>]

Amen

On Tue, 2003-07-01 at 07:37, KF wrote:
> > The solution to this problem lies in the hands of the vendors, *not* in the hands of the researchers.
> *This is no lie... after a while one (researchers) simply gets tired of 
> bending over backwards
> to get the vendor to listen. You get to a point where you simply don't 
> care sometimes...*
> vendors are frustrating... they first act like they can't talk to you 
> unless you are
> paying for support... then the don't understand what it is you are 
> trying to say...
> then they claim that oh thats not a business critical issue we are gonna 
> sit on our
> rump for 6 months and then maybe we will fix it.... IF you even make it 
> to that
> point...
>
> For examle I am waiting on a certain 3 letter company to get back to me 
> on a local root
> exploit... I used their web based email form which claims a 24 hour 
> response time... its
> now 5 days later and no response... that failed so I start the usual 
> blind emails to security@
> support@ somebodyfirggenhelpme@ and no one responds... so then I call 
> their phone and
> go through every friggin option in their PBX system.. still can't find 
> someone to help out...
>
> "... security staff... what do you mean... I have never had someone ask 
> something like that"
> me: you know... like I have a security issue with your product... you 
> need to fix it...
> "thats interesting... I'll have to see what I can find... we never get 
> calls like this"
> me: *sigh*
>
> I have done my due dilligence... here in about 1 day the problem is 100% 
> theirs... I will give
> the public the old chomd -s reccomendation and be done with it...
>
> Someone in the .gov get us a vendor responsibility bill or something...
> -KF
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Attachment: signature.asc
Description: This is a digitally signed message part