RE: Reuters: Microsoft to give holes info to UncleSam first - responsible vendor notification may not be a good idea anymore...

["J.A. Terranson" <measl () mfn org>]

On Sat, 12 Mar 2005, joe wrote:

> I didn't see Tamas' original note but this program isn't an early patch
> release program. It is a program for beta testing patches just like the
> other beta's MS and other companies do. It is simply locked down
> considerably more due to the possible issues surrounding it. The patches
> could definitely change prior to actual public launch.

Nevertheless, you and I both know that this program will be used as an
early patch release program, and will in fact serve as such once the
soon-to-be-released patches are finalized on these preliminary machines.


> As such, the patches aren't intended to be loaded on production equipment

HahahahAHAHAHahahhaAAhhAahahaha!!!!  Microsoft?  Not intended for
production machines???

ROFL!

> and in fact it is explicitely stated to not load it in production if I
> recall corrrectly. The intent is for external customer test labbing to find
> the most egregious issues and functionality breaks they may cause so it
> doesn't impact the user community at large. The folks brought into the beta
> are the ones most likely to test the patches on a wide variety of scenarios.

As someone who has seen this program from the inside, I am here to tell
you you are WRONG.  That' spelled W-R-O-N-G, just in case you were not
sure.

These programs MAY have as input large "shops" which can help test, but it
also includes "priority" customers (Govt, the critical 8 in
infrastructure, etc.), most of whom will *never* provide any feedback data
to the patch supplier.

> Unlike many of the other betas, you have an actual testing and feedback
> requirement and have to agree to that requirement before being allowed in.

Then we are talking about different programs.  There ARE early release
programs, and this reads as one.

> I
> previously was a consultant at a large company that was asked if they wanted
> to be in this program and we declined because we couldn't handle the
> additional workload that it required as a participant. We just didn't have
> the resources available.

OK, lets assume that this is a different program.  I stand by my assertion
that an early patch release program that caters solely to government and
the critical 8 is good public policy (and currently implemented).

> Here is a link that maybe makes the test nature a little more clear
>
> http://www.internetnews.com/security/article.php/3489586



-- 
Yours,

J.A. Terranson
sysadmin () mfn org
0xBD4A95BF

"Quadriplegics think before they write stupid pointless
shit...because they have to type everything with their noses."

        http://www.tshirthell.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/