Posted on 11/11/2004 2:30:02 PM PST by Prime Choice
And let's not forget Steve Ballmer's moronic statement on how security issues should be handled...
I tend to agree with MS on this. Others in the business that find flaws in someone's software shouldn't make it public for the very reasons stated. It is sad to hear a bunch of whiners that can't do the great things that MS has done.
If Microsoft put a bounty on each security flaw found, and made it a substantial sum, Windoze would soon be hackproof.
Sorry, but Microsoft has a point. Simply releasing info about a security breach before a fix has been found is irresponsible. There ought to be a "decent interval" between the discovery of the breach and its public revelation. I think a month is about right. The discoverer should first notify the software maker, then promise to hold off for at least a month before announcing the problem. This strikes me as a reasonable compromise that protects the public's right to know about the problem, but also minimizes the risk that the problem will be exploited by some scummy computer vandal.
1. Microsoft makes shoddy software, putting consumers at risk.
2. Independent group spanks Microsoft for doing things as enumerated in #1.
3. And the members of the independent group are the "bad guys."
Maybe that's the way it is in the old Soviet Union. Here in the U.S., it's called free market capitalism. If Microsoft can't manage its own malware, it should get out of the business.
On the flipside though, couple of years ago I think, did not some third party announce a flaw and state that they tried to tell MS about it but were being ignored?
Keep in mind that this is coming from a user that has spent at least 4 hours so far - holiday time - cleaning up my kids computer.
Oh, the irony!
LVM
"There ought to be a "decent interval" between the discovery of the breach and its public revelation."
Go back and read the story. You have your facts all wrong.
A tool found the crash and the guy asked for help in determining why. Someone else found th actual problem. It was a colaborative discovery. Neither person alone found or published the exploit. It was readily replicatable every time you pointed this tool at a microsoft browser.
Microsoft STILL has not published a fix.
Had this been Nozilla, or Opera, or Konqueror browser the fix would be in WIDE distribrution already.
"On the flipside though, couple of years ago I think, did not some third party announce a flaw and state that they tried to tell MS about it but were being ignored?"
Billy G has promised that's not going to happen anymore.
They STILL take way too long to get a fix out.
The problem with MS software, is even if I find a problem I can't fix it or even research it's cause, because there is no access to the source code. Its like buying a car with the Engine compartment welded shut. Might look like a fuel problem, but could be a gummed up carborator, but there is nothing I can do but call the factory and wait for them to fix it.
I guess we should all switch to Linex?
MS code is very robust, and of course has some problems, (as all software does) but in the interests of us slubs that have to use it, others should not publish the flaws, (so AssH*les can abuse us) but instead let MS know so it can be corrected.
Yeah, that will give the people who actually know about it time do their exploits undisturbed.
Good point. Still, the people working on the problem would have done better to carry on their discussion on a private e-mail list rather than in public. In all fairness, many private bug hunters would not think to do this. But it's the right way to investigate a security problem.
"I guess we should all switch to Linex? "
Its LunUx not linex, and you might try it some time, you will be astounded. Go buy Novel's SuSE 9.2 personal edition for $30. It will knock you socks off with how easy it installs, and how much ROCK SOLID software in includes for the price.
Sorry, but in my current business Those other mispelled and unheard of software packages, (that I am sure also have bugs) will not handle my aps.
According to Microsoft, trying to figure out what makes their software crash is a crime.
Really?
What apps are those?
I can run Micrsoft Word, Excel, PowerPoint, Visio, Outlook and Internet Explorer. I can run QuickBooks. I can run Photoshop for Windows. I can run VB-created apps.
And I only use Linux.
If you've had a transition expert come in and he's determined that your apps will not run under Linux, then fine.
Otherwise you are speaking of things of which you have no knowledge.
And with all the money they make, you'd think they could afford a decent security audit of their crapware.
koniace: The problem with MS software, is even if I find a problem I can't fix it or even research it's cause, because there is no access to the source code.
----------------------
"great things" ... Yeah, riiiight...
The only great thing about Microsoft is the arrogance of their marketing people -- and the gullibility of the sheeple who buy into their bu||$#!t...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.