Re: I have a 0-day exploit, but don't want to tell you what it is
Re: I have a 0-day exploit, but don't want to tell you what it is
- Subject: Re: I have a 0-day exploit, but don't want to tell you what it is
- From: Jeffrey Walton <email@hidden>
- Date: Thu, 01 Aug 2013 20:18:54 -0400
On Thu, Aug 1, 2013 at 8:02 PM, Michael Crawford <email@hidden> wrote:
> It's not enough to report a bug.
>
> It's not enough to explain how to fix a bug.
Related: Microsoft tried developer education a long time ago, and it
did not produce expected results. Its too much to ask that a developer
recognize their mistakes, especially some of the more subtle security
related mistakes. Microsoft now spends their money on producing tools
that make it harder for a developer to make the mistake in the first
place.
> What's required is to convince those who are in a position that they
> could fix it, will take _responsibility_ to ensure that fix, once they
> become aware of the bug in any way.
That problem has two factors. First is economic, and second is
political. The short version: its cheaper to do nothing - its built
into the risk equations.
To fix it, you would need to upset the risk equations via liability
laws so its costs more money to allow a bug to fester and rot (more
than do nothing).
The political problem ensures that won't happen because politicians
are bought, sold and traded like baseball cards among lobbyist and
special interest groups.
Jeff
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden