-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Response Team Boosts Open Source Security
,----[ Quote ]
| All in all, oCERT sounds like a worthwhile project that will provide a
| valuable service to the community of open source vendors and customers. Let's
| hope it wins enough support to sustain itself for the long run. (That name
| might be a problem, for starters -- CERT is a trademark of Carnegie Mellon
| University.)
`----
http://www.pcworld.com/businesscenter/blogs/mcallister_on_software/145566/response_team_boosts_open_source_security.html
Pondering when your next break-in will happen
,----[ Quote ]
| I mean how much trust can you have in say, Microsoft, which has, nine
| count 'em nine "high risk" vulnerabilities. Three of those have been on the
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| list for more than a year, and one is closing in on its second birthday.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^|
| In all fairness, Microsoft isn't the only bad egg. Computer Associates, IBM,
| Novell and HP also make multiple appearances on the list.
|
| Still, it does make me wonder. How long exactly can some of those ancient
| security holes go unfixed before someone else discovers them? Say someone who
| will immediately put his discovery to use by quietly infecting a few million
| Windows PCs?
`----
http://blogs.computerworld.com/pondering_when_your_next_break_in_will_happen
Other flaws they just sweep under the rug too. Not anymore:
Hacker marketplace to help build 0day appliance
,----[ Quote ]
| WabiSabiLabi, the company best known for building an online marketplace for
| security flaws, is getting into the hardware business.
`----
http://www.linuxworld.com.au/index.php?id=307887698&rid=-50
Recent:
What spooks Microsoft's chief security advisor
,----[ Quote ]
| Speaking at the Boston SecureWorld conference Wednesday, the 19-year
| Microsoft veteran whose job includes protecting enterprises, developers and
| Microsoft itself said there actually is plenty of good news on the security
| front. For example, his outfit scans a half million devices (with customer
| permission) per month and in the first half of last year saw the first
| period-over-period decline in new vulnerabilities disclosed across Microsoft
| and non-Microsoft software since 2003.
|
| However, 3,400 new vulnerabilities were discovered and “it’s still a big
| number,” Arsenault says. “So if vulnerability rates are down, where are
| they?”
`----
http://www.networkworld.com/news/2008/032608-microsoft-security-concerns.html
With Vista breached, Linux unbeaten in hacking contest
,----[ Quote ]
| The MacBook Air went first; a tiny Fujitsu laptop running Vista was hacked on
| the last day of the contest; but it was Linux, running on a Sony Vaio, that
| remained undefeated as conference organizers ended a three-way computer
| hacking challenge Friday at the CanSecWest conference.
`----
http://www.linuxworld.com/news/2008/032908-with-vista-breached-linux-unbeaten.html?fsrc=rss-linux-news
Bots rule in cyberspace
,----[ Quote ]
| USA TODAY REPORTS that on an average day, 40 per cent of the 800 million
| computers connected to the Internet are bots used to send out spam, viruses
| and to mine for sensitive personal data.
`----
http://www.theinquirer.net/gb/inquirer/news/2008/03/17/bots-rule-cyberspace
http://www.usatoday.com/tech/news/computersecurity/2008-03-16-computer-botnets_N.htm
Vista SP1 will contain undocumented fixes
,----[ Quote ]
| Interesting email in today mailbag: “Will SP1 contain undisclosed or
| undocumented security fixes?”
|
| For some people, counting the number of security flaws that one OS has
| compared to another is important because it offers a metric upon which to
| determine which OS is the most secure (personally, I feel that it’s a bogus
| metric, but I’ll let it slide for now). However, many claim that Microsoft
| stacks the deck in its favor by not disclosing a full list of vulnerabilities
| that have been patched by omitting to include those discovered and patched
| in-house.
`----
http://blogs.zdnet.com/hardware/?p=1225
Related:
Critical Vulnerability in Microsoft Metrics
,----[ Quote ]
| This is a small subset of all the vulnerabilities, because the
| vulnerabilities that are found through the QA process and the vulnerabilities
| that are found by the security folks they engage as contractors to perform
| penetration testing are fixed in service packs and major updates. For
| Microsoft this makes sense because these fixes get the benefit of a full test
| pass which is much more robust for a service pack or major release than it is
| for a security update.
`----
http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/
Skeletons in Microsoft’s Patch Day closet
,----[ Quote ]
| This is the first time I’ve seen Microsoft prominently admit to silently
| fixing vulnerabilities in its bulletins — a controversial practice that
| effectively reduces the number of publicly documented bug fixes (for those
| keeping count) and affects patch management/deployment decisions.
`----
http://blogs.zdnet.com/security/?p=316
Beware of undisclosed Microsoft patches
,----[ Quote ]
| Forget for a moment whether Microsoft is throwing off patch counts
| that Microsoft brass use to compare its security record with those
| of its competitors. What do you think of Redmond’s silent patching
| practice?
`----
http://blogs.zdnet.com/microsoft/?p=527
Microsoft is Counting Bugs Again
,----[ Quote ]
| Sorry, but Microsoft's self-evaluating security counting isn't really a
| good accounting.
|
| [...]
|
| The point: Don't count on security flaw counting. The real flaw is
| the counting.
`----
http://www.microsoft-watch.com/content/security/microsoft_is_counting_bugs_again.html?kc=MWRSS02129TX1K0000535
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIIWdBU4xAY3RXLo4RApXyAJ0fqRxacfdAfQy44gS7Dg7+J0rUpgCfU5ad
RPKR023QD65sj7aFwWcZ2eY=
=mb2I
-----END PGP SIGNATURE-----
|
|
