RE: Reuters: Microsoft to give holes info to UncleSam first - responsible vendor notification may not be a good idea anymore...

["joe" <mvp () joeware net>]

I didn't see Tamas' original note but this program isn't an early patch
release program. It is a program for beta testing patches just like the
other beta's MS and other companies do. It is simply locked down
considerably more due to the possible issues surrounding it. The patches
could definitely change prior to actual public launch.

As such, the patches aren't intended to be loaded on production equipment
and in fact it is explicitely stated to not load it in production if I
recall corrrectly. The intent is for external customer test labbing to find
the most egregious issues and functionality breaks they may cause so it
doesn't impact the user community at large. The folks brought into the beta
are the ones most likely to test the patches on a wide variety of scenarios.
Unlike many of the other betas, you have an actual testing and feedback
requirement and have to agree to that requirement before being allowed in. I
previously was a consultant at a large company that was asked if they wanted
to be in this program and we declined because we couldn't handle the
additional workload that it required as a participant. We just didn't have
the resources available. 

Here is a link that maybe makes the test nature a little more clear

http://www.internetnews.com/security/article.php/3489586



  

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of J.A.
Terranson
Sent: Saturday, March 12, 2005 12:15 PM
To: Tamas Feher
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Reuters: Microsoft to give holes info to
UncleSam first - responsible vendor notification may not be a good idea
anymore...


This "story" really just reflects what has been going on in the real world
for some time now.

Microsoft, Cisco, Juniper, etc., all have both vested interests and public
policy interests in notifying those who would be most affected first.
This is good public policy as well: if the national infrastructure is
compromised, we are all up shit's creek, if Joe's Corner Store is
compromised, only Joe and possibly Joe's small geographic user base is
hosed.

Decrying this shows you have not thought the problem through Tamas.

--
Yours,

J.A. Terranson
sysadmin () mfn org
0xBD4A95BF

"Quadriplegics think before they write stupid pointless shit...because they
have to type everything with their noses."

        http://www.tshirthell.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/