, 2001-12-31
Everyone from the FBI to the L.A. Times has something scary to say about the new XP vulnerability. Here's why they all have it wrong.
Expand all |
Post comment
Fear, Uncertainty and Doubt, Inc.
2001-12-31
Anonymous (1 replies)
Anonymous (1 replies)
RE: Fear, Uncertainty and Doubt, Inc.
2001-12-31
J Horner <jjhorner@bellsouth.net> (2 replies)
J Horner <jjhorner@bellsouth.net> (2 replies)
RE: Fear, Uncertainty and Doubt, Inc.
2001-12-31
Anonymous (1 replies)
Anonymous (1 replies)
Fear, Uncertainty and Doubt, Inc.
2001-12-31
Anonymous (2 replies)
Anonymous (2 replies)
No worm? Tim, lay off the meds
2001-12-31
Anonymous (9 replies)
Anonymous (9 replies)
A lesson in comprehension...
2002-01-02
Anonymous (1 replies)
Anonymous (1 replies)
A lesson in... Comprehend this: MS has 36+Billion in Liquidity (4x next on list)
2002-01-06
gained by monopoly + inferior product = superior pricing (does this compute?) (1 replies)
gained by monopoly + inferior product = superior pricing (does this compute?) (1 replies)
A lesson in... Comprehend this: MS has 36+Billion in Liquidity (4x next on list)
2002-01-16
Anonymous
Anonymous
Here you go Tim, the exploit is out !
2002-01-04
Chad Cyrisse (1 replies)
Chad Cyrisse (1 replies)
> dedicated to saturating the issue with his own special
> blend of FUD that is almost elevated to an art form. In a
> complete exit from anything security related, Gibson goes
> as far as to charge Microsoft with purposefully
> withholding an advisory and patch for this vulnerability
> so that Christmas sales would not be affected.
You yourself say that a personal firewall is a viable
workaround. Why did MS not notice this for months? Do
they assign virtually no capable staff to the problem?
This would be one of the first things a competent security
person would look at, yet they left hundreds of thousands
of people exposed for almost 2 months without bothering to
try this and see, or so we are to believe. No matter what
the answer is, this reflects extremely badly on MS.
> My issue is that so many people have rushed to be
> authorities on this bug that many didn't bother to get
> their facts straight before posting fixes and writing
> articles about it. The NIPC advisory gives people
> specific instructions on how to disable the "UPnP
> Device Host" on XP and has been widely linked to by
> many. Unfortunately, this does absolutely nothing.
Hmm, it sounds like what you're saying is that people
like the FBI and NIPC and even MS themselves can't figure
out security issues well at all. Had these things been
posted on vuln-dev and bugtraq, we would have known more
than this within a day or two. This does not bode well
for MS's disclosure policy, which limits discussion to
people like the FBI, NIPC, MS and their associates, does
it?
You see, I speak from experience. I have had to fix bad
code that was being dissected in newsgroups. Bugs which
had been brought up by security staff many months before
were left unfixed, somehow there was never a programmer
available to assign to the problem. Then it hit the
mailing lists. The security folks looked it over and came
up with a fix the same day. Still no programmer was
assigned to the job. Finally the bug hit the mainstream
press, the VPs and CEO demanded action, and it was fixed
within 24 hours. That is just how things work at most
companies, I'm sorry to say.
My profound thanks to those who advocate "responsible
disclosure" ala RFP's policy. Having a little advance
notice is great for those at the company who care, and
the negative publicity that accompanies neglect is a great
motivator for those who don't.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/50/9631#9631