>
> I've proposed to Microsoft that they stop publishing Mitigating
Factors in
> their security bulletins, and now it looks necessary to propose the
same
> in
> a more open forum.
>
I disagree. From a risk perspective you need to know mitigating factors.
To kill the hype that accompanies a newly discovered vulnerability you
need a cool, dispassionate, overview of the problem. Your sample
'aggravating' factor was anything but, and would be more likely to add
to the hype.
I think your decision to ask Microsoft first is a sign of your
prejudice, why not ask the Open Source communities to lead the way? I
can see it now: "WARNING: By using Open Source code anyone can modify
the source, replace your binaries, and completely root your system!"
John Howie CISSP MCSE
President, Security Toolkit LLC
>
> I've proposed to Microsoft that they stop publishing Mitigating
Factors in
> their security bulletins, and now it looks necessary to propose the
same
> in
> a more open forum.
>
I disagree. From a risk perspective you need to know mitigating factors.
To kill the hype that accompanies a newly discovered vulnerability you
need a cool, dispassionate, overview of the problem. Your sample
'aggravating' factor was anything but, and would be more likely to add
to the hype.
I think your decision to ask Microsoft first is a sign of your
prejudice, why not ask the Open Source communities to lead the way? I
can see it now: "WARNING: By using Open Source code anyone can modify
the source, replace your binaries, and completely root your system!"
John Howie CISSP MCSE
President, Security Toolkit LLC
[ reply ]