Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: what we REALLY learned from WMF
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 06 Jan 2006 15:45:59 +1300

Niek wrote:

MS appearantly had the patch read on 28 december 2005.
Suppose they released it 48 hours later, because the flaw is so serious.
Suppose everyone praises MS because they tackled it so quickly.
Suppose the MS patch breaks one of your applications.
Suppose I'd be reading your rant on this list a few days later,
on how MS sucks because they don't take the time to test things properly......

_In this case_ I'd say:

   Good on Microsoft for actually living up to the so far mainly BS but
   supposedly official 'security must take precedence over features'
   company line for several years.

and to the hapless -- no, gormless -- developers of whatever third-
party app(s) were broken I'd say:

   Serves you right for using a clearly insecure API, and why are you
   whining that your customers prefer security to some ill-conceived,
   security-lowering feature?

Retorts along the line:

   But MS recommended we do it that way.

would leave one hoping that their few remaining customers now desert 
them with all haste as they clearly don't give a rat's a*se about their 
customers' security so don't deserve to have any customers.


Yes, but not as unacceptable as _expecting_ your customers to badly 
compromise their security for your convenience.


Nick FitzGerald

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]