, 15 tweets, 3 min read Read on Twitter
So this is just a recapitulation of the debate we've been having for decades. The underlying issue here is not "responsible (sic) disclosure", but development processes. Google dev is based on 24 hour cycles, Microsoft dev on 6 month cycles.
When a bug is found in Chrome, then Google can fix it, test it, and release it to customers in a day. If a second bug is found in testing, it just means another day. When a bug is found in Windows, it takes around 90 days, and if a second bug delays this, it's another month.
Google manages Chrome as a piece of software that must be patched, and gives customers few options to do otherwise. Microsoft still manages Windows as software where patching is optional, even though in practice, it really isn't.
So we can't focus on Tavis's decision to adhere to the Project Zero 90 day disclosure policy. We must also factor in Microsoft's decision to have such slow development processes.
After 30 years of watching this "disclosure" debate, one thing that's clear is that Microsoft (and all other big companies) are as slow as they can get away with. If it weren't for vuln researchers adhering to a 90 day policy, Microsoft would be even slower.
I mention that because in the VEP (vuln equities) debate, people say the NSA shouldn't "hoard" 0days but notify vendors. But vendors won't fix those 0days unless the NSA is also willing to sometimes adhere to a maximum timeframe and disclose them publicly if not fixed.
Politically, the NSA could never publish 0days the way Tavis has just done, and Q.E.D., most of their 0days they tell vendors will never get fixed anyway. So they may as well hold onto them and use them to find and drone strike terrorists.
Back to Microsoft. The issue isn't that a bug was found in testing and they needed an extra 30 days on top of the normal 90 days. They should've had a fix at least within 30 days, and should only have needed an extension to 60 days.
So this response to my thread should be highlighted: instead of looking at it from the dev point of view, let's look at the problem from the customer point of view. Customers don't want daily updates to Windows.
But customers are wrong. It's like how Baltimore wants to sue the NSA because they hadn't patched Windows systems after 2 years. Software as exposed to threats as the operating system has to be patched faster than that.
Browsers and operating systems are in the same boat: their size, complexity, and exposure to threats are orders of magnitude beyond that of any other software. This necessitates patching.
But customers still buy medical equipment based on Windows that can't be patched and which fails when the next worm comes along.
That's fine. There are other ways of mitigating such threats, like hardening the operating system or firewalling it. Patching isn't necessary most of the time -- if you do your job right.
But customers have decided NOT to do their jobs right. That's why they don't want Microsoft to patch more often than "patch Tuesday", because they don't want to be responsible for mitigating bugs, but want Microsoft to be responsible.
If Microsoft were to move to weekly patches, customers would have no reason to be angry. They could decide to still only apply the patches once per month. The reason pitchforks would come out is because they can't make that sort of decision.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robᵇᵉᵗᵒ Graham
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!