IMHE, PSIRT MUST always respond and stay engaged. But, arbitrary fix periods fail to take into account the vast range of fix complexities from 1 line of code to a complete redesign. Therein lies the challenge: all fixes are not equal and cannot be treated as such
-
-
Replying to @BrkSchoenfield @mattaustin
Two things, that's a convenient excuse ("You just don't understand how complex it is", and then the patch is trivial and obvious). Secondly, you can fix your software whenever you like, that should not delay warning the user base about the danger they're exposed to.
4 replies 1 retweet 11 likes -
Replying to @taviso @mattaustin
The typical case is that reporter and vendor have information that no one else has. Too often, required preconditions are privileged, tortured, or artificial. Hence announcement does not give users useful info; in fact, FUD
1 reply 0 retweets 1 like -
Replying to @BrkSchoenfield @mattaustin
Think about what you're saying. Your position is effectively "when we lack data, we must favor the vendor", why? This is why I keep saying "convenient". Neither of us can say what attackers are doing with the active trade in exploits, but "probs nothing" is pretty optimistic, no?
2 replies 0 retweets 1 like -
Replying to @taviso @mattaustin
And yes, there have been some really seminal research into what actually gets exploited and what not. There do exists some reasonable predictors. To my mind, we must use every available leverage
1 reply 0 retweets 0 likes -
Replying to @BrkSchoenfield @mattaustin
No there hasn't, we have zero visibility into how exploits are used successfully, when we find exploitation in the wild we're only seeing the attackers failure case.
2 replies 0 retweets 1 like -
Do you claim that there has never been an incident of successful undetected exploitation, and that the millions of dollars being spent on exploits is wasted? If the answer is you don't claim that, then please accept that we don't have visibility into this problem. Geez.
1 reply 0 retweets 0 likes -
Replying to @taviso @mattaustin
Again, you’re twisting my words to the extreme case, I suspect to create a strawperson that you can then knock down. We’re not serving industry improvement. So, I’m sorry I jumped in again. Peace
1 reply 0 retweets 0 likes -
Replying to @BrkSchoenfield @mattaustin
Your position is that we must interpret lack of data in the most beneficial possible way to vendors. I suspect "industry improvement" means that we must do whatever Microsoft wants, so you're correct - I'm not going to agree to that.
1 reply 0 retweets 0 likes -
Replying to @taviso @mattaustin
Didn’t write either of those things. if I have not been clear, the fault is mine. If I have expressed myself clearly enough, then your interpretation is as you will. Again, peace, Tavis.
1 reply 0 retweets 0 likes
I'm finding this frustrating. I never claimed that you literally used those words, I'm pointing out the implications of your argument. This is how debate works, you can't make an argument then disown all the negative implications of that position as "twisting your words".
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.