standards status in the industry - opinion?

[Gadi Evron <ge () linuxbox org>]

Hi guys. I just replied to a flame-bait on bugtraq explaining (hopefully 
better) what I was trying to say. I figure a discussion on this can be cool.

Please read and let me know what you think.

        Gadi.

5 points in this post, all directed as a personal attack. I learned to 
only answer one out of every flame-baits, so I will concentrate on the 
ideas behind the post instead.

Microsoft did nothing wrong, in fact, they did great. Microsoft is an 
easy choice in this case because even though each case varies, they 
showed a capability here to deal with issues much faster than usual.

Now, the point I am trying to make is not MS-specific, but rather about 
our standards in the industry.

As an example, take false positives. A HUGE problem I[DP]S experts try 
and deal with every day, invest a lot of time in, and yet can't solve... 
therefore we got used in the industry to a level of false positives.

Same goes to vulnerability scanners.. false positives appear as a way of 
nature.

And yet, some vendors are different than others. In I[DP]S as well as 
vulnerability scanning. With some vendors, they invest less in features 
and more in eliminating false positives. They treat them as full-blown 
bugs rather than "something to live with". It works -- at least better 
than with others.

Same goes as to patches.

In the Oracle case I was in complete agreement with Dave, but my opinion 
was that the medium was wrong, and in some cases - the medium is the 
message. That's something we'd have to disagree on.

In this case though, it is once again about standards. Microsoft shows 
Oracle is not alone, although they achieved amazing progress, especially 
in the last couple of years.

If a patch can be put through full testing and released within days when 
it is taken seriously enough and resources are invested - no matter for 
what reason, I see no reason myself that this can't become common practice.

We should be practical in our demands, but if in practice this can be 
done in days, surely vendors can step it up a notch on critical issues.
Microsoft runs on most of the computers on this planet, therefore they 
are to be treated different for better and for worse. A year+ of waiting 
for a patch while people might be exploited is unacceptable according to 
standards we should be upholding now that we know what is possible.

We are like a toad. Throw us into boiling water and we would jump right 
out, screaming. Slowly raise the temperature of the water and we might 
not even notice it.

Then suddenly.. we see bright light, and that is that standards in the 
industry are too low. That is my opinion -- I may be wrong, but if you 
wish to dispute it, I suggest you at least try rather than baiting for a 
flame war.
:)

Happy new year,

        Gadi.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.