Here's an excellent example, Microsoft literally told customers this bug was too complex to fix in 3 months, but ended up being the trivial oneline check we assumed it would be. https://bugs.chromium.org/p/project-zero/issues/detail?id=1804 …
-
-
You can't tell me the complexity was testing either, because the tests are opensource and they literally just call it with rand() 1000 times.
3 replies 0 retweets 7 likes -
Replying to @taviso @mattaustin
Sometimes mistakes are made. When I had to deal with PSIRT, I was always interested in solutions from reporters. But then, I can cite many examples where the fix appeared trivial and was not - at least, to do it correctly.
1 reply 0 retweets 0 likes -
Replying to @BrkSchoenfield @mattaustin
You don't see the problem with "just give PSIRT as much time as they like", while the users sit there vulnerable?
6 replies 0 retweets 1 like -
Replying to @taviso @mattaustin
My answer is that the current methods are broken: a disservice to honest software makers. And a disservice to the research community’s profoundly important contributions. Mostly, one way or other, it’s users who lose
1 reply 0 retweets 0 likes -
Replying to @BrkSchoenfield @mattaustin
That's a very vendor-centric opinion, that your users lose by understanding the limitations and risks of your products. Many people (like me) disagree, and believe your users win by understanding the risks and flaws products pose.
2 replies 0 retweets 1 like -
Replying to @taviso @mattaustin
We security folk need to provide the risk analysis about which issue affects whom, how. Who needs to respond, who can ignore. (BTW, I’ve published quite a few of those; I’m walking my talk here)
1 reply 0 retweets 1 like -
Replying to @BrkSchoenfield @mattaustin
How convenient, users should be deprived of information about the risks in the products you sell. Do you believe this applies to other products, is it wrong to tell people you see tainted food being sold?
2 replies 0 retweets 1 like -
Replying to @taviso @mattaustin
Twist my words, why don’t you? You really want to turn this into an argument? I don’t. I’m interested in improving our collective practice. Go insult someone else, if you must. /out
1 reply 0 retweets 0 likes -
Replying to @BrkSchoenfield @mattaustin
You reply to tweets really strangely, apparently in random order and sometimes to unrelated threads. I don't see how an analogy to reporting tainted food is an insult, I'm pointing out an inconsistency in your position.
1 reply 0 retweets 0 likes
My impression of IOActive is that they will defend Microsoft to the death, so when you say you only want to improve our collective practice, is it not fair for me to point out that you're arguing for a very pro-Microsoft position? That might count as "improve" for you, not me.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.