From: jeremiah at nur.net (Jeremiah Cornelius)
Subject: Vulnerability Disclosure Debate

On Thursday 07 August 2003 09:53 am, gridrun wrote:
> Vulnerability Disclosure Debate
> by gridrun on 8/07/03

<SNIP>

> In my humble, personal opinion, this step seeks to maximize income of
> several large security firms, as they would release any detailed
> information only to paying groups of subscribers... An inherently
> dangerous plan, and the argumentation behind it is severely flawed.

<SNIP>

> Apparently, M$' fix doesnt really fix the problem to its full extent,
> and in some cases, is believed to leave machines vulnerable to the
> attack. Again, something which was to be discovered by END USERS loading
> proof-of-concept exploits and trying them on their own systems. To me,
> it makes no sense to blindly trust in a software vendor's patch, when it
> has repeately been shown that software vendor's patches often do not
> fully provide the anticipated security fixes.
>
> Obviously, time has NOT yet come to say goodbye to full disclosure, and
> doing so would leave end users at the fate of some sotware producers'
> industry consortium to take care of OUR security - which they have
> repeatedly shown to be incapable of.

<SNIP>

Hallelujah!  I believe you!  I believe! 
We all in the Choir, back here on this bench.

Write this up in language that moderates invective, cite specific cases and 
exploits - then publish away!  SF needs articles, SysAdmin needs articles...

-- 
Jeremiah Cornelius, CISSP, CCNA, MCSE
email: jcorneli@...mail.com

"What would be the use of immortality to a person who cannot use well a half 
hour?"
--Ralph Waldo Emerson

Powered by blists - more mailing lists