Here, in Russia, we have some local TechEd-like event, called “Platforma” (“The Platform” maybe). I am going to take part in the event not as mere visitor but as a lab instructor (it will be named “UAG and DirectAccess”, I believe) and an expert in Ask the Expert section and even maybe a speaker (this one not decided yet on). The first one is quite a challenge for me, because I am now to study the whole new for me product in less than a month sufficiently enough to answer at least basic questions. Yes, I know something about DirectAccess, but I totally ignorant in anything one can tell about UAG. Consequently I won’t have much time for my blog. so, next month there will be mostly news and short articles with links. Sorry, I will set it right again as soon as Platforma finishes. =)
The second topic I’d like to raise in connection with the vulnerability in VMWare products is almost Shakespearean one. What should do a person or an organization in case they found a vulnerability? Tell the vendor and publicly disclose at the same time? Only publicly disclose? Notify the vendor and wait for a patch? There is a bunch of strategies, as you can see. As usual everyone has its own point of view on the problem. Microsoft, for example, follow theirs Coordinated Vulnerability Disclosure Policy. That does mean that they want the time to create and test a fix before public disclosure (so that to give the customers as little problem as possible) and will give anyone that time. Google drive Responsible Disclosure Policy, giving anyone 60 days to close the breach. The first option gives a vendor time to do really good testing, so that not to harm customers, but it may provoke them to procrastinate delivery of the cure. The second seems to force a vendor to fix an issue ASAP, but producing patches in the very best case can take up to 3-4 weeks. In some cases it can take even more time. Dissemination of the information about the vulnerability before the patch hits public availability may hurt even more than long waiting for the patch without public awareness of the security hole. Or, maybe not? The security is a strange area where there is no trustworthy statistics on many things.
So, I guess, everyone just will find their own way of disclosure (regardless what is the reason for the choice: belief, own statistics or marketing). The question is what to choose for myself? What am I to regard as acceptable for myself? The practice has showed that I am more on the MS side of the road: I will disclose the information to vendor (and to my company’s security officer, of course). But what will I do in case they don’t do anything? I have not been in such a situation, so it is hard to say. It will depend on the vulnerability severity, reaction of the vendor and time. May be somewhat later I will threaten the vendor with disclosure and then just disclose. Fortunately my contact with VMWare was not the case, so I still do not know how I would deal with it: from my report till the new version there was only 17 days.
I’m interested, though, what do you think on the issue?
- MS Security advisory: Insecure Library Loading Could Allow Remote Code Execution
- Cloudapp.net: cool apps–useful and not
- Remote Desktop Connection Manager
- Freebies #2: Diagrams for SharePoint 2010
- Microsoft Professional Advisory Services
- Freebies: Free Visio stencils
- Group Policy Search App
- Now! I mean NOW!!!
Bingo: one click and all my messages for the month are published.
To install the tool visit http://bit.ly/wlwwrapupdl.
Then start it, enter your feed address, blog post title, and select the range for you wrap-up (click (don’t release the button) on a first date and slide cursor to the last date) and click “Blog This!”
Yeah, the guys have done really important job: from now on you don’t need to think what direction a battery has to go to to your device. Instaload technology is a very simple (as any brilliant idea): just place two contacts on each side of a battery slot instead of one. Now just put your battery as it is positioned in your hand and enjoy.
The only ingenious device to invent must grant you the same ability in case you need put several battery in a row
According to Brandon LeBlanc almost half of the Windows 7 has been installed from x64 image. I think this is not due to the fact Windows 7 does something special with this architecture (well, comparing to Windows 2000 it does: it works on it =) ), but more to the fact that OEM vendors install x64 and there is very many computers with more than 4GB of RAM. Anyway, Brandon says “Happy 64-bit computing!” and couldn’t agree more.