

Not even making it to the airtight hatchway: Execution even before you get there - cleverjake
http://blogs.msdn.com/b/oldnewthing/archive/2011/12/15/10247870.aspx

======
nathanb
If the clearly ill-informed ramblings of idiots causes multiple Microsoft
developers, at least one of them very senior, to waste a week, I think I've
found a IRL DDOS vector into their dev process...

~~~
MichaelGagnon
If you really wanted to attack their vuln-investigation processes, you would
simply let them conduct business as usual since it seems they don't know how
to triage potential vulnerabilities. If you force the issue by conducting a
DDoS, they will respond by developing a better triage system that de-
prioritizes crank vuln reports more quickly. Not only will this defeat your
DDoS attempt, but it will make them more effective at handling vuln reports
going forward.

------
MichaelGagnon
Those two "reported vulnerabilities" are clearly not vulnerabilities. Whoever
spent 5 days investigating these "vulnerabilities" should be embarrassed
instead of blogging about it. The blogger, Raymond Chen, is somehow claimed to
be "Microsoft's Chuck Norris" <http://microsoftjobsblog.com/blog/raymond-
chen/>

~~~
roryokane
Raymond explains why the vulnverability investigation took so long, in his
reply in this comment:
[http://blogs.msdn.com/b/oldnewthing/archive/2011/12/15/10247...](http://blogs.msdn.com/b/oldnewthing/archive/2011/12/15/10247870.aspx#10248173)

~~~
MichaelGagnon
Add together these three statements the author made:

(1) The vulnerability report exists in the "shadowy ground between the reports
that are clearly crackpot and the reports which are clear enough that you can
evaluate them with confidence" (from the blog)

(2) "Oh, we recognized it immediately. But it was so obviously wrong that we
began to fear that we were missing something." (from the comments)

(3) "this entire investigation took five days to complete, plus another day or
two to complete the necessary paperwork." (from the blog)

This blog post paints a picture that Raymond's organization does a bad job
triaging reports and prioritizing investigations. It's a waste of five days to
analyze an "obviously wrong" vuln report, just on the off chance that there is
something deeper. How about spending five minutes emailing the author of the
vuln report, explaining why it doesn't appear to be a vulnerability, then
asking if there is anything deeper?

It's also crazy to spend a day or two filling out TPS reports on a crank
vulnerability alert.

If an organization takes security seriously then it should spend increasing
amounts of time on increasingly plausible vulnerability reports.

~~~
bdonlan
Those 'five days' and 'another day or two' could easily include time spent
waiting on a queue, of course. In which case, it could be only a few tens of
minutes of actual time would be spent on the report.

------
dasil003
The title made me think of some scenario from the movie "Cube"

