Forwarded from: Robert G. Ferrell <rferrell@texas.net>
> MOUNTAIN VIEW, Calif. -- Microsoft and five security companies
> announced on Thursday that they would create an organization to
> promote the responsible publishing of information about software
> flaws.
Sorry, but "Microsoft" and "responsible" in the same sentence pegged
my incongruity meter.
My inherent distrust of vendor-initiated and/or moderated forums
devolves from the simple fact that vendors (understandably) want to
downplay the severity and potential consequences of vulnerabilities
discovered in their products. As a consequence, while we might get
the bare bones facts about a security flaw and maybe even a fix, we
aren't likely to get anything like the exhaustive analysis of the
engineering issues underlying a particular vulnerability that now
frequently accompanies announcements by independent security analysts.
This in effect means that we simply have to trust the vendors to kiss
it and make everything all better, despite the fact that they're the
same ones who shipped the product with the flaw in the first place.
I don't know about you folks, but applying the traditional Redmond
'black box' principle to security gives me the heebie-jeebies.
Cheers,
RGF
Robert G. Ferrell
rferrell@texas.net
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY
of the mail.
Received on Mon Nov 12 05:31 CST 2001