Re: [ISN] Microsoft failing security test?

From: InfoSec News (isnat_private)
Date: Tue Jan 15 2002 - 08:02:47 PST

  • Next message: InfoSec News: "[ISN] Linux Security Week - January 14th 2002"

    Forwarded from: Chris Wysopal <cwysopalat_private>
    
    > Forwarded from: McDonald Patrick <mcdonald_patrickat_private>
    >
    > I have to respectfully disagree with Chris Wysopal.
    >
    > <snip>
    >
    > "Chris Wysopal, director of research and development for security
    > company @Stake, argued that an early warning can sometimes
    > actually hurt security, tipping off malicious attackers to the
    > vulnerability."
    >
    > <snip>
    >
    > Does early warning help script kiddies, most definitely.  However
    > it also helps admins protect their systems against these attacks.  
    > A script kiddie can't use an exploit that an admin has prepared
    > against. Thus the exploit is useless against an informed admin.
    
    Seems there was some selective <snip>ing.  You left out the part where
    I say. "It does make sense to warn people up front that they can take
    actions now". If admins/users can take action on their own it is a
    good idea to let them know.
    
    The complete context is this:
    
    <snip> Chris Wysopal, director of research and development for
    security company @Stake, argued that an early warning can sometimes
    actually hurt security, tipping off malicious attackers to the
    vulnerability.
    
    Still, Wysopal said, with the Plug and Play incident, Microsoft could
    have told customers to just turn off the function if they weren't
    using it.
    
    "It does make sense to warn people up front that they can take actions
    now," Wysopal said. "I would like to see people not rely on patches so
    much. I was disappointed with the FBI's retraction (after they)
    proposed a solution that did not require a patch."
    
    <snip>
    
    Cheers,
    
    Chris
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 15:07:01 PST