[194650] in North American Network Operators' Group
Re: Please run windows update now
daemon@ATHENA.MIT.EDU (valdis.kletnieks@vt.edu)
Tue May 16 13:41:56 2017
X-Original-To: nanog@nanog.org
From: valdis.kletnieks@vt.edu
X-Google-Original-From: Valdis.Kletnieks@vt.edu
To: JoeSox <joesox@gmail.com>
In-Reply-To: <CAAXNyuD2VvmS8FrfzL900DeTRDfVHSyGG+Ca=rO6tyqUm86hrg@mail.gmail.com>
Date: Tue, 16 May 2017 13:37:01 -0400
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1494956221_2671P
Content-Type: text/plain; charset=us-ascii
On Tue, 16 May 2017 09:40:50 -0700, JoeSox said:
> What would be more of an interesting discussion, to me, would be why
> doesn't Microsoft know about these hoarding of vulnerabilities by State
> actors and plug them up?
It's pretty hard for Microsoft to know about an exploit the NSA is sitting
on, until Shadow Brokers or similar spills the beans.
> Are they really that clever of vulnerabilities? Does Microsoft not have the
> resources?
The talent pool for top-flight hackers is not all that large. And even if
you acquire a large skilled team, there is *zero* guarantee that some other
talented team won't find a hole that your team didn't spot. In fact, there's
a lot of good reason to believe that exact situation happens *all the time*.
> Is Windows like the ocean, where there are just hundreds of new
> species awaiting to be discovered?
Find statistics on average number of bugs per thousand lines of code.
Find estimate of how many 10s of millions of lines of code ships as part
of Windows. Do the math - and have alcohol handy for the almost certain
drinking binge that the answer will inspire.
> Did Microsoft at least know of the NSA vulnerabilities, for example, and
> kept it classified until NSA told them to plug them up?
There's lots of informed speculation on that one, but I can almost guarantee that
you'll never get a definitive answer from somebody who actually know.
--==_Exmh_1494956221_2671P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Comment: Exmh version 2.8.0 04/21/2017
iQEVAwUBWRs4vY0DS38y7CIcAQKgFQf9Ee7QZcYQreb5v8rG6TwzWAj2KRnBUTXX
v/IQ1NRWivk1idsDg7nEFC1Vb4WbIF5SQxv4G7GjTxwthYdyf3K1NcVgW5zl11pU
4pMLihc5t6PxFdS1eQ0JvXCFMHnB1mXJPSUrcQh5flBYadyvYbYuwkaJ3fqTOmjc
mZUvDuCu6z90q5yj9cOtfRaVMIOIndmk53QIiaSjPCoes8xLb/5FvQaWe45X6u44
YubSFDJ4yI/u28sogbYiEl4HqKTqB1oP/ofIuG8ZxlTDEkieoPMiaIh0lTs1S0My
rNdeFXrNABEoSpeVK4YZtQb62garx3qbqGRthdIJ4BLbMMf1d7Z5zA==
=dsq9
-----END PGP SIGNATURE-----
--==_Exmh_1494956221_2671P--
