Forwarded from: Robert G. Ferrell <rferrellat_private> > MOUNTAIN VIEW, Calif. -- Microsoft and five security companies > announced on Thursday that they would create an organization to > promote the responsible publishing of information about software > flaws. Sorry, but "Microsoft" and "responsible" in the same sentence pegged my incongruity meter. My inherent distrust of vendor-initiated and/or moderated forums devolves from the simple fact that vendors (understandably) want to downplay the severity and potential consequences of vulnerabilities discovered in their products. As a consequence, while we might get the bare bones facts about a security flaw and maybe even a fix, we aren't likely to get anything like the exhaustive analysis of the engineering issues underlying a particular vulnerability that now frequently accompanies announcements by independent security analysts. This in effect means that we simply have to trust the vendors to kiss it and make everything all better, despite the fact that they're the same ones who shipped the product with the flaw in the first place. I don't know about you folks, but applying the traditional Redmond 'black box' principle to security gives me the heebie-jeebies. Cheers, RGF Robert G. Ferrell rferrellat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 07:03:36 PST