[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 23 Mar 2011 11:53:03 -0700
From: Mike Hoskins <michoski@...co.com>
To: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in some SCADA server softwares
On 3/23/11 9:46 AM, J. Oquendo wrote:
> How about we reflect reality?
We can't honestly do that, we all only have our perception. It's funny
how we can get stuck in a trap of 0 and 1.
My perception is we'll always disagree on disclosure technique, or at
least nitpick some minor detail into infinity like we do with politics
or religion. We're human after all.
That said, bugs exist whether we find them or not, every software has
them, and if the author had never reported them that in no way implies
they were not already known and/or being used for subversive means with
the potential intent to cause harm.
I guess I'm oldsk00l enough to like responsible disclosure, but also
anti-authoritarian enough (who's making the rules? why are they god?)
to believe this is not black and white. Scare away those who disclose
(regardless of method), and you're left with undisclosed vulnerabilities
the bad guys with the most to gain ($$$ to invest in teams of
hacke^H^H^Hengineers, not just script kiddies) still know about and can
most effectively leverage.
I say the only bad disclosure is no disclosure. If vendors can't move
fast enough, they'll be usurped by those who can make better use of new
processes and technologies to keep up with trends.
PS: Is this really "hot" now? My only thought when I read the original
post was "about time" -- SCADA has been known (as in publicly aired on
broadcast television) to have many gaping vulnerabilities for at least a
decade. The (obviously bogus) justification was usually it's restricted
deployment model.
Powered by blists - more mailing lists