?

Log in

No account? Create an account
IBNeko's Journal-Nyo~!
ibneko
ibneko
Windows flaw...
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci949830,00.html?track=NL-102

Supposed to be a really big one. Again, I rejoice in using a mac~

--
...I just found out about Kagan. -.-;;; Test tomorrow, just got packet today. Curse the stupid schedule conflicts. I guess we got them on the first full day back, eh? :P ::sighs:: Now to read all 52[edit | I can't count. that should be:] 27 pages... sucksucksucks. And Mr. Hines tells me that I got a 0 on the first CNQ...

--
Oh, yeah, and Time talked about shoujo manga and pointed out Fruits Basket. The summary sucked.

[ edit | Time, not Times ]
4 happy kittens | Leave catnip
Comments
porsupah From: porsupah Date: February 12th, 2004 12:05 am (UTC) (Link)
Good grief.. I do enjoy the official response:

"Security response requires a delicate balance of speed and quality. This investigation required us to evaluate several aspects and instances of this pervasive functionality in order for our engineers to create a comprehensive and high quality fix. This was an instance in which due diligence required us to very carefully evaluate the broadest possible implications of a single anomaly reported to us."

"[... the patch] should be applied as soon as possible because it handles a vulnerability in our most trusted sub-systems: authentication, encryption/decryption and digital certificate handling"


So, it's this important - why was there inadequate testing, in that case? Bugs can happen, and commercial pressures often necessitate relegating less important ones until later - but a core, security critical portion like this has no place being deployed until proven. Excusing a 200-day delay in issuing a patch on the basis of being thorough rings rather hollow, when the known vulnerability is bad enough; they were afraid of making the problem worse?

Ah well. It all provides lots of people with employment, which is a very good thing. ^_^ Including one person referenced, with an especially cool business card: "Marc Maiffret, chief hacking officer".
ibneko From: ibneko Date: February 14th, 2004 05:52 am (UTC) (Link)

Re:

::nods:: I agree... 200 days is a bit extreme. I'd say 1/4 of that delay would be the max people should have to wait for such a critical patch.
they were afraid of making the problem worse?
Well, with big chunks of code modified and patched so many times, and with many versions out there, testing for bugs spawned by the patch would be needed... It would look even worse to release a patch that broke other things. It shouldn't take them that long though.

Yes, employment is good. hehe, chief hacking officer.

Someone needs to write a program (or shell or emulator that would run multiple programs within it in a "sandbox") that would simulate a human so it can test for problems and bugs... For example, if you load, say, microsoft office, it would test all clickable, user accessable parts of the program by simulating mouseclicks and keyboard input, testing for speed, bugs, etc. as well as network related and OS related things... It would take quite a bit of time to run, I suppose, but if you distribute it over a network of computers and have each of them test an area of the program, it should run fairly quickly...
marbenais From: marbenais Date: February 12th, 2004 06:15 am (UTC) (Link)
It's Time, not Times.
ibneko From: ibneko Date: February 13th, 2004 02:11 am (UTC) (Link)

Re:

Bah... I shall never remember. fixed now.
4 happy kittens | Leave catnip