[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <000601c2475b$fdca8820$b0b354d2@wsp01>
From: fred at the-debaters.com (Fred)
Subject: (no subject)
"well then thats the company's problem isn't it. in a hypothetical
situation like that you should be aiming your complaints not at the lack of
a security industry but at the software developers idiotic business
practices."
Aye, it is idiotic business practices, but as much as it is the $companies
problem, it is also the users... as they are using the software with the
hole, and they must protect themselves and their clients.
(btw although it was presented in a hypothetical manner, they mentioned
situation has proven itself to be the real case too many times.)
"not really. if the concept is out there but the vendor isn't going to do
anything... then you're posing a greater security risk by having the
vulnerability out there aren't you. forcing vendors to fix bugs by
threatening to make those bugs public is a poor solution to shoddy workplace
practices."
Ok, but if someone like me finds a major security hole in a widely used
system, chances are a great many $kiddles are already aware of the problem,
wether thru self discovery (hehe, yeah right), or thru over hearing
blackhats sharing info.
By releasing the exploit it allows two things,
1) Experience system administrators to devise temporary hacks to work around
the bug until it is properly fixed. (and lets say no one did know about the
exploit, I would lay money an experienced sys-admin could right a correction
hack faster then most $kiddles could figure out how to turn a proof of
concept in to something dangerous... or even compile some of then :p )
2) It gives the $company motivation to fix the problem, where there was no
motivation before... why would a mega-$company fix a bug if in their mind no
one knew about it? they don't care... release info on the bug.. and proof of
concept, and you question their reputation... this will get most $companies
moving.
Anyway, I am dribbling...
Cheers
----- Original Message -----
From: "sockz loves you" <sockz@...il.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Monday, August 19, 2002 5:20 PM
Subject: Re: [Full-Disclosure] (no subject)
>
> ----- Original Message -----
> From: "M L Lynch [ SotG ]" <fred@...-debaters.com>
> Date: Mon, 19 Aug 2002 15:38:12 +1000
> To: <full-disclosure@...ts.netsys.com>
> Subject: Re: [Full-Disclosure] (no subject)
>
> > If you ever find a major security bug in a major piece of software, such
as
> > M$ software, approaching the vendor directly does not work. Quite often
they
> > will just add it to the end of the list of complaints, and might get
around
> > to it in some future patch... if they feel like it... and if they think
the
> > security bug you found posses great risk, they still won't fix it till
they
> > feel like doing it.. instead, they now know who you are... and they take
> > subtle yet effective precautions to make sure you don't tell anyone
about
> > it. I know.
>
> well then thats the company's problem isn't it. in a hypothetical
situation like that you should be aiming your complaints not at the lack of
a security industry but at the software developers idiotic business
practices.
>
> > Atleast if proof of concept is out there, and the risk is publicly
known,
> > they have some motivation to fix it, and the users of the product can
take
> > precautions to get around the bug until it is fixed.
>
> not really. if the concept is out there but the vendor isn't going to do
anything... then you're posing a greater security risk by having the
vulnerability out there aren't you. forcing vendors to fix bugs by
threatening to make those bugs public is a poor solution to shoddy workplace
practices.
>
> > Anyway, my thoughts.
>
> interesting none the less
>
> > Cheers
>
> likewise
> --
> __________________________________________________________
> Sign-up for your own FREE Personalized E-mail at Mail.com
> http://www.mail.com/?sr=signup
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists