Full Disclosure mailing list archives
Re: Microsoft Cries Wolf ( again )
From: Andrew Griffiths <andrewg () d2 net au>
Date: Mon, 30 Jun 2003 18:24:07 +1000
Thilo Schulz wrote:
On Tuesday 01 July 2003 00:58, mattmurphy () kc rr com wrote:The ZDNet article hit the point right on the head. It is irresponsible to leave the vendor uninformed before going public. Doing that helps absolutely nobody. If you're going to take the interpretation of full disclosure literally, notification of the vendor and the public is simultaneous. There will be radicals who say that notifying none is what should have happened here -- and even that policy is better than blindly rifling off details of a remotely exploitable buffer overflow to every kiddie in the world without a workaround of any kind. The poorly-structured original post didn't even make the faulty code clear.While I agree, that you should at least provide some kind of workaround, I strongly disagree with criminalizing anyone who stands for full disclosure.I, as user and administrator, personally would rather have someone disclose a vulnerability prematurely with a workaround that I can use than someone being quiet while piling up a huge dDoS host collection / passing his t00lz around in the blackhat community. Not everyone is as good a person as microsoft wants to have them - and frankly - if I discovered a bug I would not do "cooperation" that stretches endlessly over weeks and eventually after half a year the hole is patched. In fact they should be grateful for everyone who does not hold back information about bugs in their software.
While people may not be what Microsoft, Microsoft's security handling is not good enough for some people.
[snip]
I do not understand why things like support for this can be turned on by default. The result of this lax security policy could be seen in recent worms. And this is what really makes me sick: Trustworthy Computing Campain, but when it really comes down to the dirty work of patching they moan about everyone who does not follow their strict guidelines on reporting vulnerabilities.- Thilo Schulz
Indeed. Also, making people, (by the usage of the term) think it is trustable, they are more likely to do ecommerce/feel safe doing online stuff.
Sincerely, Andrew Griffiths _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Microsoft Cries Wolf ( again ) Peter van den Heuvel (Jul 01)
- <Possible follow-ups>
- Re: Microsoft Cries Wolf ( again ) Thilo Schulz (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Andrew Griffiths (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Georgi Guninski (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Schmehl, Paul L (Jul 01)
- Re: Microsoft Cries Wolf ( again ) KF (Jul 01)
- Re: Microsoft Cries Wolf ( again ) ATD (Jul 01)
- Re: Microsoft Cries Wolf ( again ) madsaxon (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Richard M. Smith (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Mike Fratto (Jul 01)
- RE: Microsoft Cries Wolf ( again ) Cesar (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Brett Hutley (Jul 02)
- Re: Microsoft Cries Wolf ( again ) KF (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Peter van den Heuvel (Jul 01)