Full Disclosure mailing list archives
Re: How to Report a Security VulnerabilitytoMicrosoft
From: bkfsec <bkfsec () sdf lonestar org>
Date: Wed, 13 Apr 2005 11:13:34 -0400
mcbain () aol com wrote:
I dont believe even with a staff of 100k people that one could come up with a conceivable testing environment for every possible network setup in this world, could you?
In my opinion, an attitude like this is part of the problem. (No offense meant by this.. it's not directed at you personally.)
Obviously, there are an infinite combination of network configurations. Obviously, you have to draw a line somewhere. Obviously there are variables you can't control.
However, isn't one of the great arguments for proprietary software that the vendors can control the software and avoid problems like this? Why is it that I have more faith that a patch on the GNU/Linux system is not going to break my system than I have that a patch tested by MS for 6 months won't break my MS Windows system?
This is not to say that Free Software programs are necessarily programmed in a better way than Proprietary MS Windows software, but its base design does tend to be better.
If an OS is coherently and solidly designed, the infinite number of combinations of network layouts shouldn't matter. If a protocol/API is designed well, it is by definition predictable. If an OS is designed well, it is also, by definition, predictable. If you have to replicate every single concievable testing scenario to ensure that your software won't break, you're doing something wrong.
Now, I have no problem with exhaustive testing - I'm a big fan of it. However, there is a limit to it. If you test all of the potential causes of trouble on the network (hardware interfaces, network stack, the applications used) and each portion by itself conforms to the standard and is functional, then that should generalize. If having a completely unrelated program or utility on those systems screws things up, you have a fundamental design issue, and further testing will not save you.
This is why patching on MS Windows requires so much testing and trial and error: there are fundamental design issues in MS Windows which force people to harbor the "but you can't test all specific cases" attitude.
-Barry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: How to Report a Security VulnerabilitytoMicrosoft, (continued)
- Re: How to Report a Security VulnerabilitytoMicrosoft bkfsec (Apr 13)
- Re: How to Report a Security VulnerabilitytoMicrosoft Georgi Guninski (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft mcbain (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft Valdis . Kletnieks (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft mcbain (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft dk (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft Valdis . Kletnieks (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft Georgi Guninski (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft mcbain (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft dk (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft bkfsec (Apr 13)
- Re: How to Report a Security Vulnerability to Microsoft Steve Friedl (Apr 13)
- Re: How to Report a Security Vulnerability to Microsoft Georgi Guninski (Apr 13)
- Re: How to Report a Security Vulnerability to Microsoft Steve Friedl (Apr 13)
- Re: How to Report a Security Vulnerability to Microsoft Danny (Apr 13)