[lug] It's not our problem!

D. Stimits stimits at idcomm.com
Tue Oct 16 15:22:31 MDT 2001 

Sean Reifschneider wrote:
> 
> Here's an article in which Microsoft is condeming people who release
> information on exploits:
> 
>    http://www.newsbytes.com/news/01/171173.html
> 
> My favorite quote is:
> 
>    Microsoft's editorial is aimed squarely at Eeye Digital Security, the
>    security software firm that discovered the bug in Microsoft's IIS
>    Webserver that was exploited by Code Red a month later.
> 
> Apparently, Microsoft believes that a month to address a severe security
> flaw in their products is just not enough time.  Based on experiences with
> many vendors not responding until there's public outcry, I don't think that
> holding the report back would have helped.  For example, the fact that the
> Cisco 675s locked up when given a URL with a "?" in them was reported
> nearly a year before it took down so many networks because of Code Red.
> 
> This is clearly, IMHO, a case of Microsoft trying to distract people from
> the real issues.

Microsoft is basically saying that there is an excuse to not disclose
quality problems. Microsoft does not want to compete in quality, and
this is different way of phrasing it. MS is also using recent terror
attacks to name those who demand security as terrorist themselves. By
MS's reasoning, news reporters that show bad security at an airport,
places where security changes are inadequate, would also be terrorists,
since they reported flaws in the system. If MS ever gets the authority
to make security announcements about flaws illegal, or to force fixes to
be available only on their schedule, we might just as well vote that
terrorists should decide when to invoke new security...e.g., MS is
suggesting that no security be invoked until a private company decides
it is financially a good thing for them. It's sort of like the proposed
laws where all computer hardware, even hard drives and PDA's, would be
required to have anti-piracy hardware built in (even hard drives would
have this, and going around it would be a felony), because it sends an
official around to lock all residents out of their own homes, or to lock
them in, until they prove they belong there...no longer is it a case of
attacking the criminals, it becomes a case of having to prove innocence.
Ok, maybe I'm wording it a bit melodramatically.

D. Stimits, stimits at idcomm.com

> 
> Sean
> --
>  There are things that are so serious that you can only joke about them.
>                  -- Heisenberg
> Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
> tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list