Re: Towards a responsible vulnerability process

From: Ryan Russell (ryan@SECURITYFOCUS.COM)
Date: 11/05/01 

Message-ID:  <Pine.GSO.4.30.0111041908570.14583-100000@mail>
Date:         Sun, 4 Nov 2001 19:17:55 -0700
From: Ryan Russell <ryan@SECURITYFOCUS.COM>
Subject:      Re: Towards a responsible vulnerability process
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

On Sun, 4 Nov 2001, Ernst Lopes Cardozo wrote:

> A proposal for an "Automatic Software Recall" service.
>

I would propose something simpler, a dead-man switch. If you don't apply
an MS-signed patch within 3 months, your machine drops off the net, except
for your ability to download patches. You can do lots of variations, such
as only IIS servers, DC's, etc... or for a home machine, just make the
browser only be able to go to Windowsupdate or some such until they apply
the patch. Whenever the next patch gets applied, the counter is reset.
Sure, you could write code to disable the feature, or knock back the date,
etc... but if you're knowledable enough to do that, and you refuse to
apply patches, then you get what you deserve.

Think Microsoft would never do it? Think too many people would hate it?
I would have thought that stuff too, until I learned that MS is willing to
do that for the sake of copy protection in the XP products. Hey, if they
can do it to us to support their license revenue, why not for the sake of
security?

We track the age of exploits being attempted around the world in our ARIS
system. With the exception of a couple of recent worms, the huge majority
of the attempts are for holes that are over a year old.

                                                Ryan

Relevant Pages

  • Re: S&T Pocket Sky Altas Deficiencies
    ... defective, free of charge. ... download patches to fix it. ... At least they are offering a patch, ... editing work as an excuse to somehow accept a defective piece of work ...
    (sci.astro.amateur)
  • Re: kswapd sucking up CPU / bugs database
    ... > seem to find any sort ... Search for the patch here. ... I don't know any web to download patches, ... unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe ...
    (RedHat)
  • Re: [patch 25/26] mount options: fix udf
    ... in sake of style unification but we should wait for Jan's ... I think UDF_SB_ANCHOR macro was removed by some patch in -mm. ...
    (Linux-Kernel)
  • Why should PCA not find patches listed in patchdiag.xref ?
    ... I've often in the past tried to download patches via PCA and got the message the patch was not available. ... I always assumed that was since I had no contract, I would only get the security patches, plus what other ones Sun made available. ...
    (comp.unix.solaris)
  • Re: 7.0-CURRENT panic on kldunload linux.ko
    ... > I have just checked on my home machine and it seems that with your patch ... Ah, try the patch at ... can you hook up a serial console to see if it panics? ...
    (freebsd-current)