Re: Time-to-patch vs Disclosure method

From: Jay D. Dyson (jdysonat_private)
Date: Thu Oct 18 2001 - 11:05:08 PDT

Next message: Steve: "RE: 0-day exploit..do i hear $1000?"

Previous message: Fyodor: "Re: 0-day exploit..do i hear $1000?"
In reply to: Tomasz Rola: "Re: Time-to-patch vs Disclosure method"
Next in thread: Tomasz Rola: "Re: Time-to-patch vs Disclosure method"
Next in thread: J. J. Horner: "Re: Time-to-patch vs Disclosure method"
Reply: Tomasz Rola: "Re: Time-to-patch vs Disclosure method"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 18 Oct 2001, Tomasz Rola wrote:

> > I could not possibly disagree more.  They are blaming the discoverers
> > of their flaws for their security problems.  That's not only poor
> > judgment, it's deceptive to the consumer.
> 
> Contrary to the popular belief I don't think they are able to judge
> poorly. Remember, they have bigger part or so of the market - this was
> not done by a chance.

	Having a large share of the market means they have only succeeded
in avoiding similar mistakes in marketing.  Most customers don't care
about security; they only care about convenience.  That doesn't excuse
Microsoft's gross oversights with respect to security. 

> They may not be very subtle but I don't think they are stupid and they
> can patch their deficiencies with brute force when required. 

	Okay, I require clarification on this.  What do you mean "they can
patch their deficiences with brute force"?  Explain that.

> Their real problem, at least for me, is that there is no mandatory
> applying of security patches.

	How do you propose to make it mandatory?  Passage of more laws?
How will those laws be enforced across national boundaries?  Will
violations of those laws be an offense subject to extradition?

	It's all fine and dandy to suggest a panacea to the problems we
face, but there are far greater logistical concerns to make sure those
ideas are even workable.

	All told, the whole mess would be resolved if Microsoft (and other
vendors) simply released only products that were more secure than they are
today.  An ounce of prevention and all that.

> > That's not just stupid, it's just another shining example of their
> > anti-competitive tactics. 
> 
> Well, why do you think that business is about competition :-). It's
> about making money and nothing else.

	Tell me something I don't already know.  The bottom line is that
Microsoft is selling a wolf and calling it a sheep.  They claim they want
what's best for the user, but they go out of their way to destroy all that
opposes them.  I don't fault them for ambition, but I do fault them for
hypocrisy and dishonesty.

- -Jay

  (    (                                                         _______
  ))   ))   .-"There's always time for a good cup of coffee."-.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson - jdysonat_private ------<) |    = |-'
 `--' `--'  `- Peace without justice is life without living. -'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO88Lx7lDRyqRQ2a9AQEO/AQAmQtz/8pW3zfM4siwpg8g7RJWuAxd0Vr7
VvxQ21oacDXCdo2Sc5s/3IJjsu+KIC+zhnd5PwLOv+EkNgjZAcD4QTCAaaLtbgRj
7Mn6lsGBmcmMPljq2kCiholj9t5T3eKq0d7TjbyP94iOjRymH0+9GE+Cof/mH83b
7m05IL+7ay0=
=eja/
-----END PGP SIGNATURE-----

Next message: Steve: "RE: 0-day exploit..do i hear $1000?"
Previous message: Fyodor: "Re: 0-day exploit..do i hear $1000?"
In reply to: Tomasz Rola: "Re: Time-to-patch vs Disclosure method"
Next in thread: Tomasz Rola: "Re: Time-to-patch vs Disclosure method"
Next in thread: J. J. Horner: "Re: Time-to-patch vs Disclosure method"
Reply: Tomasz Rola: "Re: Time-to-patch vs Disclosure method"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 13:31:10 PDT