BugTraq
Microsoft and Security Jun 25 2004 06:53PM
http-equiv@excite.com (1 malware com) (1 replies)
Re: Microsoft and Security Jun 26 2004 08:21AM
Radoslav DejanoviÄ? (radoslav dejanovic opsus hr) (1 replies)
Re: Microsoft and Security Jun 28 2004 12:41PM
Justin Wheeler (jwheeler datademons com) (1 replies)
RE: Microsoft and Security Jul 04 2004 09:06PM
Alun Jones (alun texis com) (3 replies)
Re: Microsoft and Security Jul 06 2004 12:33AM
Jason Coombs (jasonc science org)
Alun Jones wrote:
> ... okay, so you're arguing that even more QA and more testing should be
> <snip>
> releasing a smaller fix, with minimal impact, as soon as possible.
> <snip>
> improving the process, perhaps you should try and express those suggestions
> in a coherent manner that could be used
...

Aloha, Alun.

My suggestion is a simple one that all software developers can manage to
incorporate into their busy schedules and tight budgets:

Hire an expert to conduct a thorough forensic review of the software
before it is released, and publish the forensic analysis report.

Any vulnerabilities, flaws, areas that need additional work, portions
that were built by subcontractors of questionable skill or loyalties,
portions that were offshored, features that the programmers themselves
warn are not yet done by placing comments in the source code, third
party libraries or code or algorithms that may create intellectual
property liability for the end user, and all other issues of computer
forensics and computer law should be spelled out as clearly as possible
by any company that develops and distributes software to the public.

Anyone who does not publish a forensic analysis report along with their
software should publish the source code, whether or not they release
legal rights to that source code under an open source or free software
license.

The computing public should not have to reverse engineer software
products in order to figure out what they do to the computers on which
they are installed and used.

Even the Department of Justice knew better than to allow the FBI to
build and deploy law enforcement computer technology without hiring an
expert to write a forensic report on the product, and the FBI doesn't
try to sell "Carnivore" to anyone.

http://www.epic.org/privacy/carnivore/

Final Independent Technical Review of the Carnivore System
http://www.epic.org/privacy/carnivore/carniv_final.pdf

We should require software vendors to take this stuff seriously.

Sincerely,

Jason Coombs
jasonc (at) science (dot) org [email concealed]

[ reply ]
Re: Microsoft and Security Jul 05 2004 05:58PM
Justin Wheeler (jwheeler datademons com) (1 replies)
RE: Microsoft and Security Jul 05 2004 11:10PM
Alun Jones (alun texis com) (2 replies)
Re: Microsoft and Security Jul 09 2004 03:21PM
Valdis Kletnieks vt edu (1 replies)
Re: Microsoft and Security Jul 12 2004 11:47AM
Charles Otstot (charles otstot ncmail net) (1 replies)
Re: Microsoft and Security Jul 17 2004 12:47AM
Lucas Holt (luke foolishgames com)
RE: Microsoft and Security Jul 06 2004 07:04PM
David F. Skoll (dfs roaringpenguin com) (1 replies)
Re: Microsoft and Security Jul 07 2004 12:57PM
Adam Shostack (adam homeport org)
RE: Microsoft and Security Jul 05 2004 07:40AM
Radoslav Dejanovic (radoslav dejanovic opsus hr)


 

Privacy Statement
Copyright 2010, SecurityFocus