Please run windows update now

valdis.kletnieks at vt.edu valdis.kletnieks at vt.edu
Tue May 16 17:37:01 UTC 2017


On Tue, 16 May 2017 09:40:50 -0700, JoeSox said:
> What would be more of an interesting discussion, to me, would be why
> doesn't Microsoft know about these hoarding of vulnerabilities by State
> actors and plug them up?

It's pretty hard for Microsoft to know about an exploit the NSA is sitting
on, until Shadow Brokers or similar spills the beans.

> Are they really that clever of vulnerabilities? Does Microsoft not have the
> resources?

The talent pool for top-flight hackers is not all that large.  And even if
you acquire a large skilled team, there is *zero* guarantee that some other
talented team won't find a hole that your team didn't spot.  In fact, there's
a lot of good reason to believe that exact situation happens *all the time*.

>            Is Windows like the ocean, where there are just hundreds of new
> species awaiting to be discovered?

Find statistics on average number of bugs per thousand lines of code.
Find estimate of how many 10s of millions of lines of code ships as part
of Windows.  Do the math - and have alcohol handy for the almost certain
drinking binge that the answer will inspire.

> Did Microsoft at least know of the NSA vulnerabilities, for example, and
> kept it classified until NSA told them to plug them up?

There's lots of informed speculation on that one, but I can almost guarantee that
you'll never get a definitive answer from somebody who actually know.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 486 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20170516/fbece74e/attachment.pgp>


More information about the NANOG mailing list