What WannaCry showed is disclosure without some critical theshold of customers actually patching quickly is cybersecurity homeopathy.
-
-
Replying to @pwnallthethings @emptywheel
VEP needs to move from thinking about "how many bugs are disclosed" to "how do we fix classes of bugs" and "how do we patch quickly"
1 reply 1 retweet 3 likes -
Replying to @pwnallthethings
And the numbers collected here will provide some base level data -- with adverse publicity -- addressing the latter Q.
1 reply 0 retweets 1 like -
Replying to @emptywheel @pwnallthethings
The classified report will let the Intel Committees, at least, see if we're talking classes of bugs, won't it?
1 reply 0 retweets 1 like -
Replying to @emptywheel
Dont need a classified report to tell you that. E.g. notice how WordPress has had more than one SQLi bug and yet still doesn't parametrize
2 replies 0 retweets 2 likes -
Replying to @pwnallthethings
But is that a factor of what NSA/FBI/CIA are using at all?
1 reply 0 retweets 1 like -
Replying to @emptywheel
Eternal blue was an SMB 0day. Microsoft knew SMB was a sketchy protocol parsed in the kernel and fixed dozens of bugs in it over years.
2 replies 0 retweets 3 likes -
Replying to @pwnallthethings @emptywheel
They could have moved it out of the kernel and processed it in a memory safe language. Their choice not to was their own business decision.
2 replies 0 retweets 4 likes -
Replying to @pwnallthethings
And that argument would be a lot more sound if NSA had only been able to keep it from leaking all over the web as an exploit.
1 reply 0 retweets 4 likes -
Replying to @emptywheel
For sure. But that it was patched < it was leaked on the internet and customers were still not patched 9wk later was also business decisions
1 reply 0 retweets 3 likes
These reports are in the bill, presumably, bc it got leaked. And patches MIGHT have happened had MSFT not politely said [shh, patch].
-
-
Replying to @emptywheel
Would have been faster if, like Windows Defender bug reported by P0, they didn't sit around waiting for users for 9wks and just installed it
0 replies 1 retweet 2 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.