Jon Lasser, 2002-10-09
Developers are accused of not publicizing the browser's security vulnerabilities enough. But do we really need world wide alerts for every bug?
Colapse all |
Post comment
Cool a unix/lenix guy preaching the same stuff as M$crud
2002-10-09
Twinker (3 replies)
Twinker (3 replies)
Cool a unix/lenix guy preaching the same stuff as M$crud
2002-10-09
Rob John <rdrj@mindspring.com> (2 replies)
Rob John <rdrj@mindspring.com> (2 replies)
I tend to agree, every vulnerability should be disclosed, regardless of how severe or not anyone judges it to be. I find it hard to believe you would apply the same standard to Microsoft.
Lets be consistent,
Rob...
[ more ] [ reply ]
Lets be consistent,
Rob...
[ more ] [ reply ]
My point was....
2002-10-10
Twinker (1 replies)
Twinker (1 replies)
Jon's proposel is the same as M$'s and neither one is correct. M$ wants you to only tell them about the problem, and they will share it with you when/if it is important. Jon is proposing Unix/Linux do the same thing. Im against any company for ANY reason hiding their security flaws. They dont wan...
[ more ] [ reply ]
[ more ] [ reply ]
Nothing's hidden
2002-10-15
Anonymous (1 replies)
Anonymous (1 replies)
There's no comparison here. Microsoft's bug database is hidden. You have no way of finding out what's been reported. Mozilla's is open. If you really care about ever single bug, like you're claiming, all you have to do is log into Bugzilla and start reading.
...
[ more ] [ reply ]
...
[ more ] [ reply ]
Nothing's hidden
2002-10-15
Karl
Karl
I agree - stop jumping off your high horse and read the article. The author is not saying that the bugs should be hidden, but that the public fanfare that accompanies many bugs today isnt necessary. If you want to see what security bugs are there it is easy - most of them are even in the release n...
[ more ] [ reply ]
[ more ] [ reply ]
Cool a unix/lenix guy preaching the same stuff as M$crud
2002-10-15
Jason
Jason
????
Oh, sorry, I thought you actually read the article, because I know someone who read it would have understood that Mozilla does release all the bugs to the public.
Hell, you can go find them yourself, it being open source and all.
So let's see, what you are really saying is Mozilla shou...
[ more ] [ reply ]
Oh, sorry, I thought you actually read the article, because I know someone who read it would have understood that Mozilla does release all the bugs to the public.
Hell, you can go find them yourself, it being open source and all.
So let's see, what you are really saying is Mozilla shou...
[ more ] [ reply ]
Cool a unix/lenix guy preaching the same stuff as M$crud
2002-10-16
DaveHowe
DaveHowe
I am not really sure that this applies. there is a wide difference between hiding info behind NDA and threats of legal action, and publishing it in plain sight (site?) on your bug tracking system, but not bothering to notify bugtraq/fulldesclosure/whatever about every last one of them. if you are so...
[ more ] [ reply ]
[ more ] [ reply ]
Mozilla's 'Code of Silence' Isn't
2002-10-09
Chad Loder
Chad Loder
I'm subscribed to tons of different security and vendor announcement lists. I personally have no problems keeping up with new vulnerabilities and patches.
I'm not worried about researchers posting vulnerabilities for publicity's sake. I'm worried instead that major software vendors are still pu...
[ more ] [ reply ]
I'm not worried about researchers posting vulnerabilities for publicity's sake. I'm worried instead that major software vendors are still pu...
[ more ] [ reply ]
Mozilla's 'Code of Silence' Isn't
2002-10-10
Jon Lasser (2 replies)
Jon Lasser (2 replies)
I'm not arguing *against* full disclosure. If you think that's what I was saying, please read the column again.
I'm arguing that we need to think harder about our forums, and where a particular vulnerability should be disclosed....
[ more ] [ reply ]
I'm arguing that we need to think harder about our forums, and where a particular vulnerability should be disclosed....
[ more ] [ reply ]
Mozilla's 'Code of Silence' Isn't
2002-10-11
Sam
Sam
Jon;
I can see what you are saying: don't shout every minor vunerability from the roof-tops otherwise people will soon start to ignore you.
Essentially agree with you, and no your are not mirroring the MS stance. You are saying let the secinfo, geeks and admins have their flood of advisories -...
[ more ] [ reply ]
I can see what you are saying: don't shout every minor vunerability from the roof-tops otherwise people will soon start to ignore you.
Essentially agree with you, and no your are not mirroring the MS stance. You are saying let the secinfo, geeks and admins have their flood of advisories -...
[ more ] [ reply ]
Mozilla's 'Code of Silence' Isn't
2002-10-16
Serge Wroclawski
Serge Wroclawski
Unfortunately, this is unrealistic.
The problem, Jon, is twofold:
1) Who do we disclose to?
2) What measures do we take to keep the disclosures from being spread?
The first issue is, well, who is going to say that Serge can see the bug, but not Jon? Who appoints the gatekeepers?
A com...
[ more ] [ reply ]
The problem, Jon, is twofold:
1) Who do we disclose to?
2) What measures do we take to keep the disclosures from being spread?
The first issue is, well, who is going to say that Serge can see the bug, but not Jon? Who appoints the gatekeepers?
A com...
[ more ] [ reply ]
Mozilla's 'Code of Silence' Isn't
2002-10-10
Anonymous
Anonymous
That's not what he's saying at all. Microsoft has a long history of hiding security issues until either a) they get around to fixing it or b) someone spills the beans and puts them on the spot.
This is totally different from Mozilla where they have a list anyone can go check that lists all the...
[ more ] [ reply ]
This is totally different from Mozilla where they have a list anyone can go check that lists all the...
[ more ] [ reply ]
Mozilla's 'Code of Silence' Isn't
2002-10-10
Twinker (2 replies)
Twinker (2 replies)
People who panic will panic. How exactly do you propose stopping the media from selling trash news. The "lets only tell the elite people", blocks out many of the system admin/net admin from doing their jobs. And then the riff raff rich companies get to decided what the rest of us need....
[ more ] [ reply ]
[ more ] [ reply ]
Mozilla's 'Code of Silence' Isn't
2002-10-11
XandreX (1 replies)
XandreX (1 replies)
> The "lets only tell the elite people", blocks out many of
> the system admin/net admin from doing their jobs.
The way I've seen things, is that moz developpers *always* disclose the bug, at least a short explanation, but, about some security bugs, the developer discussions which usually happe...
[ more ] [ reply ]
> the system admin/net admin from doing their jobs.
The way I've seen things, is that moz developpers *always* disclose the bug, at least a short explanation, but, about some security bugs, the developer discussions which usually happe...
[ more ] [ reply ]
Mozilla's 'Code of Silence' Isn't
2002-10-11
Anonymous (2 replies)
Anonymous (2 replies)
I bet the fine folks at Securityfocus would love to be one of the "few" who get such notices. Based on Jon's methodology, eventually, only the corporate security sector would have security expertise. U G L Y and greedy ;)
If Jon wants to bash the media for the way they generally hype informatio...
[ more ] [ reply ]
If Jon wants to bash the media for the way they generally hype informatio...
[ more ] [ reply ]
Mozilla's 'Code of Silence' Isn't
2002-10-14
Anonymous
Anonymous
..And THAT is exactly what MS is advocating. For the past one year, Scott Pulp and his ilks have been saying "It's not so much that we hate disclosure. We are just concerned about the methodologies of such disclosure. It would be great if you let us control those methodologies"
MS even co-opted s...
[ more ] [ reply ]
MS even co-opted s...
[ more ] [ reply ]
Mozilla's 'Code of Silence' Isn't
2002-10-11
Paul
Paul
I suppose if someone accidently left their door unlocked one morning, and you had a choice between phoning him at work to tell him, and announcing on the radio that Joe Bloggs in number 14 had left his door unlocked, only one of these would seem reasonable.
If Joe didn't bother doing anything abo...
[ more ] [ reply ]
If Joe didn't bother doing anything abo...
[ more ] [ reply ]
Mozilla's 'Code of Silence' Isn't
2002-10-12
Anonymous
Anonymous
I think that security alerts are vital for having a good level of security. It's essential because you'll know what are exactly your weak points and you can work in a workaround to make your systems reliable, or even temporarly turning off some systems until a patch is released. Also (in case of fr...
[ more ] [ reply ]
[ more ] [ reply ]
Mozilla's 'Code of Silence' Isn't
2002-10-12
Anonymous
Anonymous
It's not a code of silence. It's a lazy security guy at netscape.
I raised a bug about the fact that mozilla.org's security page that says 'Click here for known vulnrabilities' doesn't show any of them. I suggested that, because the default homepage already emplores you to upgrade from older vers...
[ more ] [ reply ]
I raised a bug about the fact that mozilla.org's security page that says 'Click here for known vulnrabilities' doesn't show any of them. I suggested that, because the default homepage already emplores you to upgrade from older vers...
[ more ] [ reply ]
Practice what you preach
2002-10-13
Anonymous
Anonymous
I sit here and read day after day about how Microsoft doesn't publish every non significant bug in their software from unix/linux users, but it's ok for Mozilla to hide the fact my credit card information is being stolen because their too lazy to tell us their browser is buggy.
Practice what you ...
[ more ] [ reply ]
Practice what you ...
[ more ] [ reply ]
I...
[ more ] [ reply ]