Re: Time-to-patch vs Disclosure method

From: Jay D. Dyson (jdyson@treachery.net)
Date: 10/18/01


Date: Wed, 17 Oct 2001 18:50:15 -0700 (PDT)
From: "Jay D. Dyson" <jdyson@treachery.net>
To: Vuln-Dev List <vuln-dev@securityfocus.com>
Subject: Re: Time-to-patch vs Disclosure method
Message-ID: <Pine.GSO.3.96.1011017184700.16650D-100000@crypto>


-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 17 Oct 2001, Mark Kennedy wrote:

> I disagree that all Microsoft is doing is diverting attention. They
> raise some legitimate questions and concerns.

        I could not possibly disagree more. They are blaming the
discoverers of their flaws for their security problems. That's not only
poor judgment, it's deceptive to the consumer.

        Rather than admit the glaring flaws in their own product, they
decide to publicly bash the firms that are helping people defend their own
networks.

> Their problems are another topic. But just because they are the source
> of the vulnerability does not undermine their valid concerns on how that
> vulnerability is disclosed.

        Sure does. Do note that Microsoft only endorses thos products and
services in which they can make a buck. All the while, they go out of
their way to demonize every open source and security-related product and
firm that is given out for free.

        That's not just stupid, it's just another shining example of their
anti-competitive tactics.

- -Jay

  ( ( _______
  )) )) .-"There's always time for a good cup of coffee."-. >====<--.
C|~~|C|~~| (>------ Jay D. Dyson - jdyson@treachery.net ------<) | = |-'
 `--' `--' `- Peace without justice is life without living. -' `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO84nSLlDRyqRQ2a9AQGXXgP6A99ZzZFPqd/Hs33MJsEe1hfJ4K+AJzJY
iQCOe+hVCXNk8ICXchlZ+/862ZL4T8qANfow0ZuP6dsQtkaEVMzhff6k8M//M0BZ
vHonOIHBBIJwNfnHRh1VMxDZMIF7RdZcWjnswDL9dkPN92I1kjnbywsNQMoKlgCi
c2notNLpqxA=
=3RL4
-----END PGP SIGNATURE-----