Depends on the business you’re in. Sometimes an “environment” is a rack (or 2) of servers and that might be 100k-400k/rack before space & power & bandwidth.
What's the reasoning here? (not challenging you, just want to make sure I understand your thought process).
I imagine it's something to do with the fact that some of the words won't be "offensive" by themselves, or perhaps even at all by all people. So naming it deny disassociates the reason from the word? Ie sometimes the word itself is offensive, sometimes it's fine but part of offensive combinations, etc etc?
I agree /lives/ aren’t directly at stake, but depending on what your business is, /livelihoods/ are.
When you’re an entrepreneur and have a small team, each of them may have a family. As the leader you are responsible for running a profitable company that can pay its employees so their families can eat.
At the large company I work for my team’s product is B2B. When we go down, other businesses go down. The number of people affected is very high. Treating every incident like someone’s business is dependent on you and they have put their trust in you to support them is very sobering.
Genuinely curious: What’s the reasoning behind “unrestricting” this ahead of its 90 day window? (It’s tagged Deadline-90, Reported-2019-Apr-18 On Project Zero, so that’s July 18th?)
Yeah but maybe it would be nice for users to keep that extra time in order to maximize the probability that they have actually updated software at disclosure time.
Disclosing in advance is a bad policy, it will just incentive good behaving vendors that update fast to delay full description of their changelog for security reasons because you put their users at unnecessary risks.
Security researchers have to assume that if they've found a vulnerability, it's only a matter of time before the evil people will find it as well - that is if they haven't found it already.
That's why all disclosures come with window - if they don't, the companies aren't under any pressure to update their systems, the exploit start being used in the wild, etc. The window is not ideal, but it is better than no window.
And there isn't much point arguing over 30 vs 90 vs 120 vs 365 days. 90 is reasonable, enough for even the largest mainstream software companies to issue a patch release.
Still make no sense, I agree the window is a good policy to force lazy vendors to act as they should.
But what’s the point of reducing the window for nice vendors who quickly delivered a patch?
This is totally counter productive. In order to incentivize vendors to deliver patches more and more quickly, good actors should profits from that extra time to secure their user base. In a ideal world that might even permit to reduce the windows in the futur when everyone behave well.
This is just jerking around and sending bad signal unless of course that anticipated disclosure date was decided together with the vendor.
I think patching is firmly in your hands now, and this data may help you choose to upgrade if you were holding off for some reason. Imagine your favorite iOS game was broken by the release that fixes this, so you've been ignoring the update. Now that you know your phone can be bricked by a malicious text message, you may decide "I guess I won't be playing that game for a while" and upgrade. The point is, pretty much everyone that applies every update (which is automatic) has the update now. The last few stragglers are probably waiting for information exactly like this. Now they have it.
The patch itself reveals the vulnerability. Attackers analyze these things to see what they’ve fixed. If you release a patch but don’t announce the vulnerability that was patched, then you’re just hiding it from good guys who don’t have time to dig through the patch.
I wouldn't be terribly surprised if the vendor asked for it to be disclosed late in the afternoon before a long holiday weekend (in the US) with the hope that mainstream press outlets would not notice.
Your incentive line in no way matches reality. In the past every vendor that is given an unlimited open timeline on patching has not. This includes Microsoft, Apple, Oracle and most of the other large vendors. Most of them are better at patching, but this is mostly because of the risk at of someone zero daying the patch and destroying the userbase.
Security is not an ideal world, in fact I would say it is the opposite.
Microsoft (employees) has repeatedly argued that 90d can be unreasonable for Windows due to the development and testing cycle, which also has to align with “patch Tuesday”. I haven’t heard the complaints recently so maybe they’ve streamlined part of the process.
Windows 10 might be the largest enterprise codebase at over 50 million lines of code. It probably takes 30 days alone just to browse to the file that has the bug
The other side is that the moment a patch is released, people will diff it to the previous version making it much more likely this issue is found by a lot of independent people who might seek to exploit it.
That sounds like a logic flaw because iPhones and most other devices like it will normally auto update after a short while. I think more people will rely on that feature than browse, uh, bugs.chromium.org...
This view of it will assist hackers in getting a head start before the auto update cycle gets to your device and you're notified. And if you're hit but something like this before that, your iPhone will no longer be able to update and apply the fix.
Of course, there's no way to find an objectively "correct" time frame since update cycles vary, but a month or two ought to give plenty of time for the updates to roll out and users to be made aware.
Sounds good in theory. In reality, the vast majority of iPhone users are not aware that this bug exists and never will be. The best action for user safety is to wait until the period has elapsed or the exploit has been seen in the wild already.
Alternatively, they could publish the gist of the exploit without providing enough detail to actually perform the exploit.
Publishing it like this will make them more likely to be aware of it. They may not read Hacker News but it spreads to Facebook user groups etc.
The bad guys (many enough of them) will anyway figure it out right away after the patches have been published, because with every patch, people will (and should) ask "why".
Reading (dis)assembly is a skill many in our profession are required to learn. It’s common in OS & security fields. Heck, when developing Windows on ARM we were told Friday that we’d come to work Monday with a mandatory “no source” debugging session where we had up to an hour to describe a hanged program’s intended behavior and why it was hanged. One of my colleagues also refused my symbols when I asked for help debugging a program. He was more comfortable in ASM than the latest C++
http://gs.statcounter.com/ios-version-market-share/mobile-ta... shows 12.3 at around 50%, so the question for me would be what percentage of that long tail would upgrade within any reasonable extension period. Public news might actually accelerate that since it gives people a reason not to procrastinate hitting that button.
I’m not sure of the stats honestly but there’s still going to be a huge long tail of people on earlier versions for months afterwards. I was surprised that I was still on iOS 12.2.
I’ve seen scripts get checked in and deployed just like you would a new service (code). Same Code Review process and same release pipeline.
In this particular case, commands that were run on a Production machine were by-design limited to what they can do and affect (mostly just the physical host they’re run on or a few hosts in the logical group of hosts they belong to).
The Stasi would have still found out that he fled the republic as long as he entered in West Germany under his real name. His girlfriend would still have been interrogated etc, perhaps a little less since it would have been easier to feign unawareness with her boyfriend just disappearing out of the blue.
The real beneficiaries would have been the students helping him and the teachers. They would have been able to travel to the GDR (to see their friends/family) since they likely wouldn’t have been connected to the escape.
The bravery the girls displayed was for defying the East German dictatorship. It could have ended much worse for them had they been found out before crossing the border. They did put their fellow students and teachers at risk, no doubt. But after the fact it seems pointless to punish them for helping a fellow human being escape dictatorship. Aside from maybe discouraging future travelers from such actions.
The book “The Dictator’s Handbook: Why Bad Behavior is almost always Good Politics” explains this fairly well. It’s a great read, maybe a bit depressing.
TLDR: it’s cheaper to pay off a small group (family) rather than a big group (populace).
That is by far the best book I’ve read about politics. It starts with a simple premise and is able to explain a lot. This video gives the short version - https://youtu.be/rStL7niR7gs
[disclaimer: I haven’t been a people manager for too long, so take it with a grain of salt]
I block off some time each day to do ‘something technical’. Sometimes it’s making something pretty that was ugly before. Sometimes it’s learning a new tool my team is considering to pick up. Generally these are things that are important, but not urgent.
For larger projects, I often attend the design reviews. Sometimes I help on the designs, especially if it’s a new product altogether.
All managers on our team are also required to participate in the on-call rotation.
Between those three, I feel like I am still “in the trenches” enough to not forget what it’s like.
I help write unit tests for code my team is working on. It's fairly non-blocking (we won't slip a delivery date if I get pulled into something else for a few days) but still requires me to understand the code base and ask questions of the engineers.
