-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Do we need another CERT?
,----[ Quote ]
| Yes.
|
| Google’s backing of oCERT is a major milestone in the history of open source.
|
| It’s not that I have anything against the Computer Emergency Response Team at
| Carnegie-Mellon. They do important work, not only in identifying risks but in
| educating people on them.
|
| What makes oCERT important is here, in the famous 2000 essay by Bruce
| Schneier on the “window of vulnerability.”
|
| As Schneier noted, vulnerabilities, like fame, have five distinct phases.* A
| vulnerability is discovered, announced, becomes popular, gets patched, and
| then the patch is disseminated.
`----
http://blogs.zdnet.com/open-source/?p=2392
Yesterday:
Pondering when your next break-in will happen
,----[ Quote ]
| I mean how much trust can you have in say, Microsoft, which has, nine
| count 'em nine "high risk" vulnerabilities. Three of those have been on the
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| list for more than a year, and one is closing in on its second birthday.
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| In all fairness, Microsoft isn't the only bad egg. Computer Associates, IBM,
| Novell and HP also make multiple appearances on the list.
|
| Still, it does make me wonder. How long exactly can some of those ancient
| security holes go unfixed before someone else discovers them? Say someone who
| will immediately put his discovery to use by quietly infecting a few million
| Windows PCs?
`----
http://blogs.computerworld.com/pondering_when_your_next_break_in_will_happen
Related:
Critical Vulnerability in Microsoft Metrics
,----[ Quote ]
| This is a small subset of all the vulnerabilities, because the
| vulnerabilities that are found through the QA process and the vulnerabilities
| that are found by the security folks they engage as contractors to perform
| penetration testing are fixed in service packs and major updates. For
| Microsoft this makes sense because these fixes get the benefit of a full test
| pass which is much more robust for a service pack or major release than it is
| for a security update.
`----
http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/
Skeletons in Microsoft’s Patch Day closet
,----[ Quote ]
| This is the first time I’ve seen Microsoft prominently admit to silently
| fixing vulnerabilities in its bulletins — a controversial practice that
| effectively reduces the number of publicly documented bug fixes (for those
| keeping count) and affects patch management/deployment decisions.
`----
http://blogs.zdnet.com/security/?p=316
Beware of undisclosed Microsoft patches
,----[ Quote ]
| Forget for a moment whether Microsoft is throwing off patch counts
| that Microsoft brass use to compare its security record with those
| of its competitors. What do you think of Redmond’s silent patching
| practice?
`----
http://blogs.zdnet.com/microsoft/?p=527
Microsoft is Counting Bugs Again
,----[ Quote ]
| Sorry, but Microsoft's self-evaluating security counting isn't really a
| good accounting.
|
| [...]
|
| The point: Don't count on security flaw counting. The real flaw is
| the counting.
`----
http://www.microsoft-watch.com/content/security/microsoft_is_counting_bugs_again.html?kc=MWRSS02129TX1K0000535
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIIbkTU4xAY3RXLo4RAnA6AJ9NBxVjUB387BF3phVSVE1t8lalgwCeMjmx
9TLEFGLLCFemW7LwMxY5Fng=
=cUBr
-----END PGP SIGNATURE-----
|
|
