Date: Sat, 07 Jan 2006 00:56:54 +0200
From: Gadi Evron <ge@linuxbox.org.>
To: "Thor (Hammer of God)" <thor@hammerofgod.com.>
Subject: industry standards - current status [was: what we REALLY learned
from WMF]
References: <43BD9569.4090701@linuxbox.org.> <00c501c61282$b0572f30$0a01a8c0@anchorsign.com>
In-Reply-To: <00c501c61282$b0572f30$0a01a8c0@anchorsign.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeded SMTP AUTH authentication, not delayed by milter-greylist-1.7.5 (linuxbox.org [24.155.83.21]); Fri, 06 Jan 2006 16:57:46 -0600 (CST)
X-Virus-Scanned: antivirus-gw at tyumen.ru
Comments and text below the quoted text.
> mis-information. I believe even *you* posted erroneous information. Nice.
#1.
> First everyone bitches about how bad Microsoft security is, how they
> don't "get it" and how they don't care. Then, when they issue a patch
> out-of-cycle, we hear pompous comments like "See! I told you so! They
> can do it if they want to, so they should do EVERYTHING like this!!"
> They handled it the right way, and still, they get criticism. Great.
#2.
> Oh, that's rich. Let's see-- wasn't it YOU that said to Dave Litchfield
> regarding Oracle:
> So, it's OK for Oracle to have the worst security (both in product and
> in attitude) of any vendor on the face of the planet, and to take the
> "Oh, let's not pick on them by singling them out" mindset, but now you
> are DEMANDING that every patch be treated like the WMF patch just
> because YOU said so?? Why are you singling out Microsoft here?
#3.
> What about WINE? Where is your DEMAND that THEY patch immediately?
> Where is the patch, anyway? Oh, there isn't one yet. Shouldn't you be
> ripping them a new one? After all, WINE is still vulnerable to the WMF
> exploit.
#4.
> Oh, I totally get your drift. You are biased, and speak with a forked
> tongue.
#5.
>
> t
>
5 points in this post, all directed as a personal attack. I learned to
only answer one out of every flame-baits, so I will concentrate on the
ideas behind the post instead.
Microsoft did nothing wrong, in fact, they did great. Microsoft is an
easy choice in this case because even though each case varies, they
showed a capability here to deal with issues much faster than usual.
Now, the point I am trying to make is not MS-specific, but rather about
our standards in the industry.
As an example, take false positives. A HUGE problem I[DP]S experts try
and deal with every day, invest a lot of time in, and yet can't solve...
therefore we got used in the industry to a level of false positives.
Same goes to vulnerability scanners.. false positives appear as a way of
nature.
And yet, some vendors are different than others. In I[DP]S as well as
vulnerability scanning. With some vendors, they invest less in features
and more in eliminating false positives. They treat them as full-blown
bugs rather than "something to live with". It works -- at least better
than with others.
Same goes as to patches.
In the Oracle case I was in complete agreement with Dave, but my opinion
was that the medium was wrong, and in some cases - the medium is the
message. That's something we'd have to disagree on.
In this case though, it is once again about standards. Microsoft shows
Oracle is not alone, although they achieved amazing progress, especially
in the last couple of years.
If a patch can be put through full testing and released within days when
it is taken seriously enough and resources are invested - no matter for
what reason, I see no reason myself that this can't become common practice.
We should be practical in our demands, but if in practice this can be
done in days, surely vendors can step it up a notch on critical issues.
Microsoft runs on most of the computers on this planet, therefore they
are to be treated different for better and for worse. A year+ of waiting
for a patch while people might be exploited is unacceptable according to
standards we should be upholding now that we know what is possible.
We are like a toad. Throw us into boiling water and we would jump right
out, screaming. Slowly raise the temperature of the water and we might
not even notice it.
Then suddenly.. we see bright light, and that is that standards in the
industry are too low. That is my opinion -- I may be wrong, but if you
wish to dispute it, I suggest you at least try rather than baiting for a
flame war.
:)
Happy new year,
Gadi.
