Full Disclosure mailing list archives
Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more...
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Sat, 12 Mar 2005 23:31:09 +0530
On 12/03/05 11:15 -0600, J.A. Terranson wrote:
This "story" really just reflects what has been going on in the real world for some time now. Microsoft, Cisco, Juniper, etc., all have both vested interests and public policy interests in notifying those who would be most affected first.
Which public? Are you a member of the public? Am I?
This is good public policy as well: if the national infrastructure is compromised, we are all up shit's creek, if Joe's Corner Store is
Which nation? From my PoV, it is the general user who needs to be informed first. A whole bunch of us have more problems with Windows holes even though we do not use Windows, simply because of the traffic volume generated. Perhaps you would have liked the slamer or blaster patches released to the US government first, and only then to the general public?
compromised, only Joe and possibly Joe's small geographic user base is hosed.
Unless there are a very large number of Joe's affected.
Decrying this shows you have not thought the problem through Tamas.
I can support Cisco not publicly announcing a hole until the network backbone is upgraded (I don't have to like it, but I will support it because it makes sense to protect critical infrastructure from a DoS attack first.) [1]. I can not support Microsoft doing the same thing, because the problem is at the edge of the network, and it affects _others_ who should not be affected by it. Devdas Bhagat [1] If it was a mere DoS, sure, notify your larger customers first. If it is not a DoS, but an exploit which allows for outsider control, then selective notification is irresponsible. (The Cisco statement is wrt the recent DoS stuff when Cisco notified the backbone operators before the offical advisory). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... Tamas Feher (Mar 12)
- Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... J.A. Terranson (Mar 12)
- Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... Valdis . Kletnieks (Mar 12)
- Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... Devdas Bhagat (Mar 12)
- Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... J.A. Terranson (Mar 12)
- Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... Devdas Bhagat (Mar 12)
- Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... J.A. Terranson (Mar 12)
- Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... Valdis . Kletnieks (Mar 12)
- Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... J.A. Terranson (Mar 12)
- Re: Reuters: Microsoft to give holes info to Uncle Sam first - responsible vendor notification may not be a good idea any more... J.A. Terranson (Mar 12)
- Re[2]: Reuters: Microsoft to give holes info to UncleSam first - responsible vendor notification may not be a good idea anymore... phased (Mar 13)
- Re: Reuters: Microsoft to give holes info to UncleSam first - responsible vendor notification may not be a good idea anymore... Vincent Archer (Mar 14)