industry standards - current status [was: what we REALLY learned from WMF]

Comments and text below the quoted text.

mis-information. I believe even *you* posted erroneous information. Nice.


First everyone bitches about how bad Microsoft security is, how they don't "get it" and how they don't care. Then, when they issue a patch out-of-cycle, we hear pompous comments like "See! I told you so! They can do it if they want to, so they should do EVERYTHING like this!!" They handled it the right way, and still, they get criticism. Great.


Oh, that's rich. Let's see-- wasn't it YOU that said to Dave Litchfield regarding Oracle:

So, it's OK for Oracle to have the worst security (both in product and in attitude) of any vendor on the face of the planet, and to take the "Oh, let's not pick on them by singling them out" mindset, but now you are DEMANDING that every patch be treated like the WMF patch just because YOU said so?? Why are you singling out Microsoft here?


What about WINE? Where is your DEMAND that THEY patch immediately? Where is the patch, anyway? Oh, there isn't one yet. Shouldn't you be ripping them a new one? After all, WINE is still vulnerable to the WMF exploit.


Oh, I totally get your drift. You are biased, and speak with a forked tongue.



5 points in this post, all directed as a personal attack. I learned to only answer one out of every flame-baits, so I will concentrate on the ideas behind the post instead.

Microsoft did nothing wrong, in fact, they did great. Microsoft is an easy choice in this case because even though each case varies, they showed a capability here to deal with issues much faster than usual.

Now, the point I am trying to make is not MS-specific, but rather about our standards in the industry.

As an example, take false positives. A HUGE problem I[DP]S experts try and deal with every day, invest a lot of time in, and yet can't solve... therefore we got used in the industry to a level of false positives.

Same goes to vulnerability scanners.. false positives appear as a way of nature.

And yet, some vendors are different than others. In I[DP]S as well as vulnerability scanning. With some vendors, they invest less in features and more in eliminating false positives. They treat them as full-blown bugs rather than "something to live with". It works -- at least better than with others.

Same goes as to patches.

In the Oracle case I was in complete agreement with Dave, but my opinion was that the medium was wrong, and in some cases - the medium is the message. That's something we'd have to disagree on.

In this case though, it is once again about standards. Microsoft shows Oracle is not alone, although they achieved amazing progress, especially in the last couple of years.

If a patch can be put through full testing and released within days when it is taken seriously enough and resources are invested - no matter for what reason, I see no reason myself that this can't become common practice.

We should be practical in our demands, but if in practice this can be done in days, surely vendors can step it up a notch on critical issues.
Microsoft runs on most of the computers on this planet, therefore they are to be treated different for better and for worse. A year+ of waiting for a patch while people might be exploited is unacceptable according to standards we should be upholding now that we know what is possible.

We are like a toad. Throw us into boiling water and we would jump right out, screaming. Slowly raise the temperature of the water and we might not even notice it.

Then suddenly.. we see bright light, and that is that standards in the industry are too low. That is my opinion -- I may be wrong, but if you wish to dispute it, I suggest you at least try rather than baiting for a flame war.

Happy new year,