Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×

Daily Exploit Releases Irk Both Vendors and Crooks 165

conJunk writes "Security Focus has an article about HD Moore's Exploit-Every-Day-in-July endeavor raising the hackles of both browser vendors and criminals. He started the project because he felt that vendors were not taking his analysis seriously enough, but he appears to be the only one enjoying it. 'Black Hats' are having their exploits exposed, and Microsoft (who bears responsibility for the majority of the browser holes) can't keep up with the pace he's setting." From the article: "The software giant indirectly criticized the release of vulnerabilities in a statement to SecurityFocus, underscoring the importance of getting customers updated before they are exposed to threats from malicious attackers. 'Microsoft continues to encourage responsible disclosure of vulnerabilities,' the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"
This discussion has been archived. No new comments can be posted.

Daily Exploit Releases Irk Both Vendors and Crooks

Comments Filter:
  • by dubmun ( 891874 ) * on Friday July 14, 2006 @05:41PM (#15722192) Homepage Journal
    A direct quote from the IE team over at Microsoft: "Don't tell anyone about all our holes! Then we won't have to fix them."
    • Not far from the truth at all. In their mind, every reported vulnerability serves to give customers an impression that IE is riddled with security problems. No matter that the damage is already done. If they looked at what's on a typical home Windows system, they'd know that already.
    • by Kesch ( 943326 ) on Friday July 14, 2006 @06:00PM (#15722308)
      Here are the responses from the different browsers after recieving vulnerability reports:

      Firefox: Fixed!
      Opera: Fixed in 9.0
      IE: ...(4 months later) DUDE!? Why you have to go tattle on us!?
      • Here are the responses from the different browsers after recieving vulnerability reports:

        Firefox: Fixed now, but when you install the new version for the fix, all your extensions won't work.
        Opera: We didn't have to fix it, it was a non-standard that everyone wanted bet we didn't impliment it because it might have broken an actual standard.
        IE: The problem is with the people that report vulnerabilities. It's much more efficient to wait until someone writes and exploit before patching.
      • Firefox: Fixed!

        I think you mean "Fixed in CVS!"

        • Nah man, that's the answer to almost everything on the MPlayer mailing list. Nowadays, it's "Fixed in Subversion _ages_ ago."
          • Nah man, that's the answer to almost everything on the MPlayer mailing list. Nowadays, it's "Fixed in Subversion _ages_ ago."

            Not anymore - they finally did a release about a month ago. (A year between releases is far too long in the open-source world - Gentoo gave up and started using their own CVS snapshots of mplayer...)
            • Not anymore - they finally did a release about a month ago. (A year between releases is far too long in the open-source world - Gentoo gave up and started using their own CVS snapshots of mplayer...)

              You mean that Gentoo doesn't just pull the newest files from CVS ?-o

              And here I thought I'd switch from my current RH9 into an up-to-date distro...

              • You mean that Gentoo doesn't just pull the newest files from CVS ?-o

                Oddly enough, no. There are ebuilds that do that for some programs (though not mplayer), but you're strongly discouraged from using them (for obvious reasons).
  • 'Microsoft continues to encourage responsible disclosure of vulnerabilities,' the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"

    Yep. Too bad each and every one of these vulnerabilities has already long since been reported to Microsoft... which is hinted at by the correction at the bottom of the article:

    CORRECTION: The article's discussion of Peter Swire's paper and position was clarified to stress that he believes proper disclosure involves first notifying the vendor, giving them time to fix the issue and then releasing vulnerability information.

    Quoting the Microsoft "position" seems like a very odd choice for a story submission, without also giving the information that every one of these vulnerabilities has already been reported. Microsoft is simply sitting on their thumbs and not fixing them as usual; also as usual, they don't want the vulnerabilities published because this is made obvious.

    • Ok, this does seem strange, but brings more questions for myself...

      First, lets assume he is reporting these to Microsoft in a responsible way...

      With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications? Does he get to hold the industry hostage becuase he didn't get the 'timeline' response or fix from Microsoft 'he' expects, when he knows nothing of what the bug or exploit might entail?

      Microsoft 'should' also be
      • by Anonymous Coward on Friday July 14, 2006 @06:19PM (#15722389)
        This borders on yelling fire in a theater, because it isn't the theater owner that is getting hurt, it is the people getting trampled in the aisles

        The problem is, that, using your stretched metaphor, there is a fire smoldering in the back of the theater, and nobody is aware. Sure, first thing you do is call the fire department, but you don't wait for them to put the blaze out in order to notify people.

        To construct a better metaphor: Would you tell someone if a pickpocket were stealing their wallet? Or would you call the police first?

        These kinds of holes are not only found by the 'white hat' security researchers... Odds are good that if he's found a hole, others have as well, and are misusing it.

        At which point, what good does keeping silent do?
        • by Entropy ( 6967 ) on Friday July 14, 2006 @07:30PM (#15722694)
          The problem is, that, using your stretched metaphor, there is a fire smoldering in the back of the theater, and nobody is aware.


          I think it goes further than you took it, though:

          Microsoft is the theater owner, and is very aware of the fire. He is in fact standing there in front of the smoldering flames to hide them.

          And telling all the ushers to stand in the way, too.

          And he's lit up a big fat cigar to cloak the smoke as best as possible.

          And he's laughing nervously and encouraging others to light up, too, so the fire is cloaked by everyone smoking ..
        • Nah to stretch the original metaphor... HD Self-Promoter sees a situation in the theatre that under the proper conditions that won't pop up in normal operations of the theatre would start a fire. So he decides to demonstrate that he is correct about this by burning the theatre to the ground.
          • by Schraegstrichpunkt ( 931443 ) on Saturday July 15, 2006 @12:16AM (#15723574) Homepage

            Nice rhetoric, but you neglect the fact that "normal operations" on the Internet includes operating in an adversarial environment. There is no reason why Microsoft or anyone else should get special treatment regarding the public disclosure of vulnerabilities. As a competitor to Microsoft, if my computer is vulnerable to executing arbitrary code, I don't want to have to trust that Microsoft won't exploit that vulnerability to further its own ends, nor do I want to have to trust that Microsoft employees won't leak the information to malevolent third parties. Instead, I want to know now that my software is vulnerable, so that I can take the necessary precautions.



            • nor do I want to have to trust that Microsoft employees won't leak the information to malevolent third parties.

              I applaud this patriot. He's identifying breaches in our national security infrastructure which is being exploited by malevolent international organizations. This is a demonstrably greater threat to our national security (recent state department break-ins [cnn.com]) than our porous southern border or our domestical phone call traffic.

              Microsoft's foot-dragging on repairing these weaknesses is endangering
        • by schon ( 31600 ) on Friday July 14, 2006 @09:54PM (#15723140)
          Odds are good that if he's found a hole, others have as well, and are misusing it.

          Isn't that why the black hats are pissed too?

          The odds aren't "good" - they're 100%.
        • To construct a better metaphor: Would you tell someone if a pickpocket were stealing their wallet? Or would you call the police first?

          Actually, I think a better metaphor would be to warn someone that there are pickpockets operating in the area *and* that their bag is open and their wallet/purse clearly visible.

          Ie while they're not being robbed *right now*, they're definitely vulnerable.
      • If he 'had' the knowledge of all the downlevel code and testing to fix exploits that MS must undertake for each exploit, then sure he should be making the timeline call, but if the bug is more serious than what 'he' even may realize, it is still the Vendor that should have the say on publishing this information unless the person finding the 'exploit' can offer a credible fix, solution, or way to safe guard consumers.

        I disagree. Given that the EULA apparently allows software developers to eliminate all their liability for holes in their software, users should be very careful about who they get their software from. If a vendor can constantly be shown to leave big holes in their software, and people actually suffer loss due to said holes, then that vendor will lose all business. I believe that Microsoft would either be gone or releasing only [relatively] secure software if we had immediate release of vulnerabilities.

        I further believe that the only reason Microsoft doesn't want the vulnerabilities released is that they will have to actually motivate their sorry asses and release the patches in a timely fashion, which means they can't distribute them to Microsoft Select customers first as they always have done, which means they will likely have fewer Select subscribers. Which serves them right, those assholes.

        What are your opinions 'bias aside' on a single entitiy making decisions for vendors and consumers that they probably are not in a position to make?

        Clearly they are in a position to make it, because they have the information on the vulnerability :)

        Personally, I really, honestly believe that all vulnerabilities should simply be reported to the world at large. It would encourage vendors to use best security practices, and they would not be able to simply hide their head in the sand.

        Currently Microsoft does not utilize best practices - we're constantly finding vulnerabilities in new products that are due to the same old stupid crap like buffer overflows. Why coddle them?

        • Currently Microsoft does not utilize best practices - we're constantly finding vulnerabilities in new products that are due to the same old stupid crap like buffer overflows. Why coddle them?

          Ok, then.

          Name an Operating System vendor that doesn't have any buffer overflows found! Even the much-beloved Open-BSD had one reported not so long ago, despite what I feel is the best effort possible to eliminate them, and despite limiting the scope of the operating system so much it's a mental strain to consider it an
          • Name an Operating System vendor that doesn't have any buffer overflows found!

            Burroughs B5000 [wikipedia.org]

            "It was a unique machine, well ahead of its time."

            One reason it never became all that popular was that it did not like reading and writing outside of the prescribed bounds.

          • In short, they ALL have issues, some more than others. Many of the issues found in Windows are found in IE - compare that to the recent swath of holes found in Firefox/Mozilla.

            It's not fair to say that IE and Firefox are the same. IE has more issues and Firefox fixes their issues but IE doesn't.

            It's not that Microsoft is malicious. It just takes them a long time to release software. Look at how long Vista has been delayed.

      • If it's going to take 2+ months to fix an exploit due to the large amount of code involved, is it right to leave your customers running vulnerable software just because you can't fix it fast enough?
      • by Trepalium ( 109107 ) on Friday July 14, 2006 @06:27PM (#15722417)
        Let me play devil's advocate on this one.

        With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications?
        And who is Microsoft to 'determine' when he is or is not allowed to notify the world of this? What if the author has knowledge that people are falling victim to this vulnerability?
        So if MS doesn't meet his timeline, then the consumers and industry gets screwed and put at risk.
        Customers and industry are already at risk from the vulnerabilities themselves, and these vulnerabilities may already be in use by criminals. Indeed the summary suggests that this is the case.

        I'm not saying he's right and Microsoft is wrong, but this isn't a simple issue. A combination of factors have left some sour tastes in people's mouths regarding Microsoft's current security practices. Microsoft's security advisories have become very terse/boilerplate with little or no details about what the vulnerability actually is. Their demand that people report the vulnerabilities in very specific ways (e.g. no proof of concept exploits, etc) in order to receive acknowledgement in the advisory is another. Add to this the fact it often takes months and months to get a patch to a reported vulnerability means that people are again thinking that Microsoft doesn't care about security other than as a bulletpoint on their sales literature.

      • With that said, who is he to 'determine' the 'timeline' for the fix?

        He is the person that reported it. I have never reported a problem to MS, but if they handle it like I expect (after dealing with other places that I've reported problems), I would expect that they take the information, toss it in the "we'll look at it" bucket, and ignore the person that reported it. If they want him to wait on reporting it, they should give him a reason. Perhaps something as simple as "we've had this reported before,
      • This borders on yelling fire in a theater

        No it is just another form of journalism, and parties that are made to look bad by inconvenient details want to make it as contentious as reporting on wars. Obsurity has not worked, and going after the people that point out that MS or others have problems is not giving comfort to some sort of enemy because the people vunerable to the flaws can also do something about it even if there is no patch available yet. Why should the script kiddies and two or three guys at

      • With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications? Does he get to hold the industry hostage becuase he didn't get the 'timeline' response or fix from Microsoft 'he' expects, when he knows nothing of what the bug or exploit might entail?

        The hackers and the software firms wrestled with this throughout the last half of the 1990s. They came to an uneasy truce somewhere around 2000 and decided that 30 da

        • That 30 days is a polite guideline: but given Microsoft's strong history of ignoring some very deep holes, for months if not years, groups that collect such vulnerabilities and report them are in a very bad position. CERT, for example, has at least 3 severe vulnerabilities, at least 6 months old, that I read copies of the reports for when submitted. They can't publish because they won't publish without Microsoft's approval, so the holes remain unacknowledged and probably unpatched.
      • by More Trouble ( 211162 ) on Friday July 14, 2006 @08:23PM (#15722871)
        This borders on yelling fire in a theater, because it isn't the theater owner that is getting hurt, it is the people getting trampled in the aisles...

        And when there is a fire, how irresponsible is it to not yell fire?
        • This borders on yelling fire in a theater, because it isn't the theater owner that is getting hurt, it is the people getting trampled in the aisles...

          And when there is a fire, how irresponsible is it to not yell fire?

          Furthermore the justification behind the ruling in question was unusually weak. There is a very good reason that one must not falsely yell "Fire!" in a crowded theatre, which has nothing at all to do with "necessary" restrictions on free speech: it infringes on an agreement (contract) m

          • Even if speech itself is considered inalienable and cannot be legally prevented by a contract (as is my view), the contract can certainly impose fines for specific kinds of speech, because property is alienable. The fine is merely a conditional transfer of property rights; the condition can be anything the other party will agree to.

            I would like to point out that a contract can't actually prevent anything; all it can do is assign penalties for certain actions. A piece of paper is completely unable to sto

      • Microsoft 'should' also be keeping proper dialog with people that report these exploits, but that does not give one individual the 'button' to nuke MS when they don't jump on a fix as fast as the person wants, he is only screwing the consumers, not MS other than giving them bad press.

        Huh? It sure does. He found the vulnerability, it's his to disclose. (Unless of course Congress has made that illegal this week...)

        I think the software vendors are forgetting something: giving them an advance warning of the pen
      • With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications?

        Tough. The jackasses who have been peddling broken software for years, making phony claims about its "security", are the ones to blame.

        News flash: The software was always vulnerable to these attacks. Blaming the guy who publishes exploits (with source code) is like blaming the auditors for disclosing your accounting fraud. Your books were cooked re

      • With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications? Does he get to hold the industry hostage becuase he didn't get the 'timeline' response or fix from Microsoft 'he' expects, when he knows nothing of what the bug or exploit might entail?

        You discount the fact that the "fix" doesn't have to be a Microsoft patch, it might simply be a customer turning off a service or closing off a port that previously looked
    • Too bad each and every one of these vulnerabilities has already long since been reported to Microsoft
      And too bad that all of these which were actually vulnerabilities had already been patched in MS06-21.
    • ...Also note that "This common accepted practice " of only telling the vendor is ONLY MICROSOFTS preference.
      The nets historically accepted method is broadcasting to the world, via bulletins on a security related (but "open") mailing list,
      preferably with example exploit code. (Sometimes code witheld/only sent to vendor until reporter finds someone who cares)
  • by a_greer2005 ( 863926 ) on Friday July 14, 2006 @05:46PM (#15722223)
    Think about it; if a PC gets exposed to viruses or malware, the average Joe will either A: buy a new version of Nortan, or just not realise it untill the PC fails to boot in under 10 minutes at which point they just buy a new one, which means by default, another license for Winodws that isnt really needed, but Redmond gets the $$$ non-the-less...
  • by dtfinch ( 661405 ) * on Friday July 14, 2006 @05:47PM (#15722228) Journal
    "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."

    From the looks of it, most if not all of those were reported months before they were published.

    Give a vendor 90 days. If they fix it, never, ever release the details of how to exploit the vulnerability, as a reward and to help users who are slow to update. But if they willfully choose not to fix it, release the exploit to educate their userbase, and to help them to reevaluate their dangerous security policy.
    • You kidding?

      I'd give the vendor a week at most, and that's being generous. And always release full details anyway. That's a lot of systems that could be getting broken into during those 90 days. If you know how to exploit something, making a program to do it automatically is a question of hours.
    • No, because if you never make the exploit public that doesn't mean that the black-hats won't know about it. And the 'slow to update' users will be vulnerable without ever knowing it.

      Hell, publish it with the note that if they don't patch this vulnerability then a black-hat can break into their computer and use it to steal all their money from their bank _and_ rape their puppy! Maybe that will help them to be less 'slow' to update.

      (yeah, I know it's pissing up a rope, but it's a dream)
    • by CherniyVolk ( 513591 ) on Friday July 14, 2006 @06:34PM (#15722445)

      Three months is too long.

      Besides, especially for Microsoft exploits... the moment I have time to share any info on something I found, I do. This is in part becuase of my lack of admiration for the company, and any bane for them is a gleeful gain for me. Come to think of it, I never contacted Microsoft to report anything remotely construed as intent for improvement; save one instance where I did specifically contacted Microsoft presenting just one reason why I would never condone the use of their Server Operating Systems for even casual use, and they opened up dialog even. But, I think they could tell, I wasn't their friend.

      Bottom line here, is what is 'responsible' exploit exposure? Noone really has a hardened explanation. Companies would love for thier ideas governing exposure, basically it affords them the ability to flip the bird at one person (the discoverer) and hope noone else see's it; which is, the most likely scenerio becuase we all know, captialists think like this--'is it cost effective to address this bug? Is it cheaper to pay editors to belittle the effect of IE crashing by using phrases such as "[bugs within IE] MERELY causing IE to CRASH"?'.

      Is it really responsible to notify the vendor first? Inherent to proprietary business interests, denial is an all too common tactic and if they want to sue you, they could even to suffer an obvious loss just to introduce you to the ringer. Or, is it more responsible to out right give full details to the first person you see on the street? I say, in regards to consumer business, it's much more effective and therefore responsible should you post all exploits, with details and working examples the moment you are able to muster the content and activate the 'Send' command. This approach is akin to starting a fire underneath the perverbial ass. Why give a company an option? Force them to live up to their end of the deal; deal being that you paid for a product, as advertised and within reasonable expectation of operation. There is no option to fix or not to fix a bug that crashes an application, it must be fixed; while this is the tendancy in the Open Source area, it is a philosophical obligation for a company.

      So, light those fires is what I say. I think it's ridiculous that many exposing exploits do not give details and working example code, or some sites that do have that culture require registration and are less in the spotlight.
  • Only one OS? (Score:1, Interesting)

    by Anonymous Coward
    Will he release vulnerabilites from several vendors?
    Or do some vendors not have enough to mention?
    Or do other vendors actually fix them in a timely fashion?
  • I feel that there's not enough being done to curb gun violence here in Oakland Ca. So I'm going to shoot one person a day, every day, for the month of July. Any reports that I'm enjoying it are exaggerations.
    • by Anonymous Coward
      I feel that there is not enough being done about stupid legislators. So I'm going to pass a stupid law a day, every day, for the month of July. Any reports I'm getting huge checks under the table are lies.
    • > I feel that there's not enough being done to curb gun violence here in Oakland Ca. So I'm going to shoot one person a day, every day, for the month of July. Any reports that I'm enjoying it are exaggerations.

      (Not to put a downer on your funny post but...)

      ...it's more like "So I'm going to report every murder on the TV news, for everyone to see, until people get so fed up with seeing it every night, that they pressure the Oakland Police (who, just as Microsoft has a legal monopoly on its own sourc

    • by Odin_Tiger ( 585113 ) on Friday July 14, 2006 @06:16PM (#15722384) Journal
      This is more a situation of, "I feel there's not enough being done to curb gun violence in Oakland, CA, so every day in July I'm going to disclose to the public one case of a cop failing to prosecute a known black market arms dealer, felon in posession of a firearm, or murderer, because it wasn't convenient for the Police Department's schedule."
      • Before anybody has the chance to point it out, yes I know I screwed up. -prosecute +arrest. >:P
      • It's more like publishing the names and addresses of child molesters: the molesters don't want you to publish their names, the police often don't want to publish the names because it can screw up their pending court cases or prosecutions, but leaving the molesters alone will certainly not stop them or protect anyone.
  • by FsG ( 648587 ) on Friday July 14, 2006 @05:50PM (#15722247)
    Here's the link [blogspot.com] to the list of Moore's browser exploits, the ones that the article is talking about.
  • by Anonymous Coward on Friday July 14, 2006 @05:50PM (#15722251)
    ...you must be doing something right.
  • by davidwr ( 791652 ) on Friday July 14, 2006 @05:50PM (#15722253) Homepage Journal
    Best practices in my not-so-humble-opinion:

    1) warn the vendor ASAP
    2) warn the security community within a week, immediately if the vendor has no objections
    3) as soon as there is an exploit that represents a real threat:
      a) give all details to the security community
      b) give a workaround, like "disable such and such service," to the general public.
    • There's no reason that the bad guys cannot find the same flaws he is finding and exploit them.

      Unless the bad guys do something massively stupid, how would the researcher know that the bad guys were exploiting it?

      Instead, I'd prefer a 90 day countdown. This provides the incentive for the companies to patch their products.

      Otherwise, an exploit can exist for years without anyone but the bad guys knowing it.
    • This schedule sounds *much* more reasonable than the "tell vendor and then wait 90 days" version.
    • This is the vendor party line, and this is why I disagree with it.

      First, this process does not protect the user, it is merely a PR thing for the vendor. While I feel for the vendor, wish to give them adequate time to correct the problem, history tells us that this sympathy backfires. Here is the normal drill. If a venerability gets reported, but there is no exploit "in the wild", then the venerability gets less priority. This is fine because the exploitable code needs to fixed first. But then later o

    • Go to vendor, vendor gets a court order against you so you can't sayanything, then doesn't fix the hole.
      Or, vendors sues you for trying to 'extort' them.

      no, these large companies have made their beds, now they can sleep in them.

      Tell everyone you can loud and clear about any exploit.

    • Waiting is just letting the crackers have more time before things hit the fan. Security shouldnt be something you slap on like bandaid afterwards. Before exploits are being "found" by security vendors and researchers they are often being actively used by crackers. Security vendors then buy the exploits and sell the information to their customers.

  • It "irks" them? (Score:2, Insightful)

    by andytrevino ( 943397 )

    So, shedding light on these security problems "irks" some vendors. How about the sysadmins and users who are stuck wasting their time patching problems that should have been fixed months ago, or before release? What about people who have had data compromised or destroyed by exploits brought to the public eye in this report?

    While I realize that many of these bugs are not critical security issues, my hat is off to Moore for having the rocks to continue his effort in the face of "irked" vendors and hax0rs. P

  • So, is the proper way to move people from Windows to Linux is to destroy the ability to use Windows as a computing platform?
  • I used to be a linux fan. never really stopped, but life didn't let me pursue it for a while. now i'm admin of a linux-based phone switch (eOn's equeue) and these alerts suddenly concern me. fact is, i don't even have root. it's menu-based, you can get a shell but su doesn't work. the eOn techs are the ones responsible for root tasks, and i'm not sure they're going to handle this promptly.

    in addition, it's making me have some slight apprehension regarding my plan to put a couple linux machines in th
    • in addition, it's making me have some slight apprehension regarding my plan to put a couple linux machines in the systems room at work. be a bit embarrassing if the new guy's machines got owned.

      New Windows machines get owned too but I don't think that is exactly your concern. Any alternative has to be outrageosly superior to whatever established way of doing things is being replaced. The various ways that Windows machines can malfunction are common experiences to many and after long conditioning somew

    • Sounds like you picked the wrong product. That's a different issue.
  • We had to take the time to patch XP, test those, then move them over to Vista, test those...

    Vista is now scheduled to be released to OEMs in the second quarter. No, we won't say what year...
  • If you're pissing off everybody you're probably doing something right.
  • by PavementPizza ( 907876 ) on Friday July 14, 2006 @06:50PM (#15722530)
    Headline says: Daily Exploit Releases Irk Both Vendors and Crooks

    Considering that Microsoft is the only Vendor complaining, and considering they've had months to fix all of these and didn't, the headline should be:

    Daily Exploit Releases Irk Crooks
  • but he appears to be the only one enjoying it

    Add at least me in there as well.

    Blackhats have been doing this and other work like it for years. The current state of security is defined better by ignorance than by safety. Patching is a workaround, not a solution. To use an analogy: Patching means we built more hospitals in response to car crashes, instead of inventing air bags.

    I'll enjoy the show. It's a very good demonstration that "oh, we'll fix whatever comes along as soon as we learn about it" is not a vi

  • So often we hear about worms that attack the net via vulnerabilities that have been around for months, and everyone screams at the vendor for being slow to patch.

    I've seen this suggested before and it's a simple idea. Give them three weeks. Send it to the bat-phone or whatever the vendor has. Three weeks later, post it somewhere nice and public - a forum for the discussion of existing unpatched vulnerabilities. Post it regardless of whether or not a patch is available.

    If the vendors cry, tell them if th

If A = B and B = C, then A = C, except where void or prohibited by law. -- Roy Santoro

Working...