[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070718113532.B52810@home.ephemeron.org>
Date: Wed, 18 Jul 2007 11:37:02 -0700 (PDT)
From: Bigby Findrake <bigby@...emeron.org>
To: Chris Stromblad <cs@...post24.com>
Cc: Gadi Evron <ge@...uxbox.org>, bugtraq@...urityfocus.com,
seclists@...holm.com
Subject: Re: Internet Explorer 0day exploit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 18 Jul 2007, Chris Stromblad wrote:
<deletia>
> One more thing about "advisories". I think it would be better to release
> them immediately and let people know what they are facing. With public
> dissemination of a vulnerability perhaps someone will release a 3rd
> party patch or another inventive way of protecting oneself. Holding it
> "secret" really doesn't help anyone.
With regards to your last statement, I would like to believe that that's
so, or at least that if there is some harm in "early release" of
information that that harm is mitigated (if not outright outweighed) by
the potential good that's done by alerting the community and thereby
allowing them to develop their own responses.
I guess what we're really talking about here is the perceived potential
negative impact of letting the bad guys know that a vulnerability exists
in space X (that they might then attempt to exploit where without that
knowledge, they wouldn't try to exploit it even if it could be argued that
they would attempt to find it) vs. the perceived potential good of
allowing the good guys to attempt to formulate their own defenses
tangential to some sort of "official" response.
It seems to me that without metrics (how many early release advisories
turned into exploits that wouldn't have been created without said
advisory?) that all discussion on this topic is either philosophical or
academic (which is not to imply "without merit").
> Anyways, enough ranting.
I, for one, enjoyed your rant.
- --
Making files is easy under the UNIX operating system. Therefore, users
tend to create numerous files using large amounts of file space. It
has been said that the only standard thing about all UNIX systems is
the message-of-the-day telling users to clean up their files.
-- System V.2 administrator's guide
finger://ephemeron.org/bigby
http://www.ephemeron.org/~bigby/
irc://irc.ephemeron.org/#the_pub
news://news.ephemeron.org/alt.lemurs
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQA/AwUBRp5dzuG50ohcWywfEQIaGwCdFvAHqttbczpDKBmJXkJZrDf1/BgAnRzh
tNxtwD2MTu+qYgDY0EpRCuC0
=xb3M
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists