Microsoft Makes Major Shift In Disclosure Policy
Trailrunner7 writes "Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready. The new CVD strategy relies on researchers to report vulnerabilities either directly to a vendor or to a trusted third party, such as a CERT-CC, who will then report it to the vendor. The finder and the vendor would then try to agree on a disclosure timeline and work from there." Here's Microsoft's announcement of the new strategy.
Why would anyone report a vulnerability to Microsoft? Unless they start paying for the info, I say post it online the second you find it and to hell with Microsoft.
Liberals are clear-eyed, cool-headed rationalists, implacably opposed to dogma and superstition. That’s why they reject the fairy-tales of the creationists. Like this one: The Universe was created in six days and is now only 6,000 years old. Laughable. Or this one: Noah’s ark rode out a world-wide flood for forty days and nights with a huge collection of animals on board. Ludicrous. Or this one: Mass immigration by non-whites into White societies will produce peace, prosperity, and happiness for all. Ridic– Whoops, sorry, my mistake. I’m mixing my fairy-tales up. That last one belongs to the liberals, not the creationists.
Yes, the truth is that liberals don’t really object to dogma, superstition, and fairy-tales at all, they just object to the wrong kind: the old Christian kind. They’re perfectly happy with the new kind – their kind – and they hate science just as much as creationists when it threatens to contradict their irrational dogmas. Race does not exist. IQ tests measure nothing but the prejudices of IQ testers. Differences in the psychology and behavior of men and women are solely the product of social conditioning. Those are three of the biggest liberal dogmas, and for the past forty years, led by pseudo-scientists like Stephen Jay Gould (Jew), Richard Lewontin (Jew), Leon Kamin (Jew), Steven Rose (Jew), and Jared Diamond (guess), they’ve fought tooth-and-nail against the ever-growing scientific evidence that all three are completely wrong. Race does exist, IQ tests do measure something real, and men and women are innately different in psychology and behavior.
More evidence of how liberals can’t tolerate true science comes from their ignorance about one of the most important of all scientific tools: the controlled experiment. When you have an idea or invention to test, use a small space to start with and compare what happens with a control where you don’t do anything. One of the advantages of this method is that if something goes wrong, you can easily contain the problem. Suppose you have a new chemical that might help crops grow faster and feed more people, but might have unwelcome side-effects too. You need to test it to make sure it’s safe, so the obvious thing to do is manufacture huge amounts of the stuff and use it on every farm in the country. That way, if every plant turns yellow and dies after two weeks, shortly before farmers and their families start developing strange and deadly new cancers, you’re up shit creek without a paddle. But you can at least say that your heart was in the right place.
If you think that sounds wrong, you’re obviously not a liberal, because that is actually a good description of how liberals have been testing the effects of race mixing. Mass immigration by non-whites is an experiment on a huge scale with no controls whatsoever, and if it all goes horribly wrong the ordinary Whites of Europe and America, who never asked for or wanted the experiment to take place, will be left up shit creek without a paddle. It will be no consolation that many liberals will be sharing the canoe with them. Other liberals, with the money to buy their way out of a self-created disaster, may be able to flee somewhere still safe like Iceland or the far north of Canada. If so, then maybe after a few years, when the memories of massacre and rape by non-whites have begun to fade, their crazy liberal religion will re-assert itself and they’ll begin agitating for more “diversity” in the hideously White societies that surround them.
That’s why the native Whites of Iceland and northern Canada, if they have any sense, will arrest those fleeing liberals as soon as they step off the plane and deport them straight back where they came from: the racially mixed hell-holes their criminal ideas and actions helped create. After all, there’s no way the refugees could plead innocence or ignorance. The disastrous effects of mass immigration are already obvious now in the experimen
I am very curious how Microsoft defines "ample time" especially considering some of their vulnerabilities (like the one recently "patched" in the DOS subsystem) have existed for years or decades.
This isn't a slam at Microsoft, it's a hope that someone has some clarification that can be used as a context to determine if this statement means anything. Even when the terms of their statements are less ambiguous, they seem to find ways of backpedalling - thus greater clarity on something so very ambiguous is warranted (even if it turns out to be pointless in the long run per whatever practices they actually employ).
Oh wait, the summary is not correct (of course) - but the reality of the statement is worse:
Microsoft:
CVD's core principles are simple: vendors and finders need to work closely toward a resolution; extensive efforts should be made to make a timely response; and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action -- and even then it should be coordinated as closely as possible.
Inotherwords, this statement really says "You should never tell anyone but us, unless active attacks are taking place - but even then, you should coordinate such with us" (at which point, they will probably say "dont tell anyone" as has been the current and previous cases.
Also, who are they to dictate how (and to who) researchers disclose such information? Is there some legal basis for this, or is (will) it be under the threat of using their financial muscle and influence to try to get the person charged with some sort of online security or terrorist crime? Yes... for those who don't know, the Patriot Act does indeed cover such things.
Additionally, the spin group at Microsoft said this, which is misleading in the grand context of this problem:
Microsoft:
However, we fundamentally believe (and our experience over the last 10 years has shown) that once vulnerability details are released publicly, the probability of exploitation rises significantly. Without coordination in place to provide a security update or tested workarounds, risk to customers is greatly amplified.
The truth is, once a vulnerability is released to the public and exploited, Microsoft is somewhat forced to fix it in a more timely fashion - as opposed to ignoring it for years (the numerous .NET exploits that still aren't fully patched) or decades (the DOS exploit recently patched).
This is really a non-news item as this is business as usual, carefully worded to seem like Microsoft is changing their stance on things (while the reality is, they are not).
StarTrekPhase2 - The Five Year Mission Continues!