"John Howie" <JHowie (at) securitytoolkit (dot) com [email concealed]> writes:

> I think your decision to ask Microsoft first is a sign of your
> prejudice, why not ask the Open Source communities to lead the way?

Speaking of the "Open Source" community, I'd really like to see them
following Microsoft's lead in the advisory writing business. Their
notifications are converging towards something useful, and it's only a
question of time when they will start to describe how to block attacks
on the network layer if possible, and how to employ their own products
to protect infrastructure even if you can't immediately apply a patch.

For software distributed in source code, you can reverse-engineer this
information by examining the source code changes, but that's beyond
the skills of the average sysadmin. And for a typical free software
zoo, it's coming close to a full-time job as well.

If those who really understand and fix the bugs could provide such
information (e.g. rough requirements for attack such as access to
certain TCP ports, the security context injected code runs in,
indirectly affected products, proof-of-concept exploits to
independently check vendor fixes), those "Open Source" enthusiasts
might actually claim that their bug squashing process is superior.
Currently, the way security defects are resolved sucks badly: The
information is accessible, somehow, somewhere, but no one takes the
trouble to make it accessible to the average sysadmin.

Or is everyone busy catering to their paying customers, and sharing
information would just reduce the perceived value the customers
receive?

--
Florian Weimer Weimer (at) CERT.Uni-Stuttgart (dot) DE [email concealed]
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898

[ reply ]