blob: 6653d9d68c9c1b55a8dc631140beabc14ec2d593 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
Security is a cat and mouse game and which side is cat and which mouse is almost always murky. Many times security researchers, dismayed at a vendor's lack of response to exploits, release details into the wild in an effort to force the vendors to issue a patch.
Mozilla's Mike Shaver, Director of Ecosystem Development at Mozilla, recently boasted at a Black Hat conference after-party that the Firefox developers could push out a patch for any exploit in "ten fucking days."
Shaver went so far as to write the bold claim on his business card and give it Robert Hansen of ha.ckers.org. Naturally Hansen [posted a scan of the card on ha.ckers.org][1] which prompted Mozilla to [publish the following retraction][2]:
>This is the official Mozilla word: This is not our policy. We do not think security is a game, nor do we issue challenges or ultimatums. We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to ship fixes as fast as possible because it keeps people safe. We hope these comments do not overshadow the tremendous efforts of the Mozilla community to keep the Internet secure.
Obviously, given the context -- late night, party etc -- Shaver did not act in the most appropriate manner, but even Hansen notes in his post that he did not take the statement to be an official policy of Mozilla.
Of course, that didn't stop the media from treating it as such. The note took on a life of its own and many news outlets tried to spin it as some sort of challenge to the hacking community.
So, while Mozilla's [recent slew of fixes for Firefox][3], do in fact almost meet this ten day deadline, don't expect that to always be the case.
[1]: http://ha.ckers.org/blog/20070803/mozilla-says-ten-fucking-days/
[2]: http://blog.mozilla.com/security/2007/08/06/mike-shaver-ten-days-and-expletives/
[3]: http://blog.wired.com/monkeybites/2007/07/firefox-update-.html
|
