lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200308071113.25742.jeremiah@nur.net>
From: jeremiah at nur.net (Jeremiah Cornelius)
Subject: Vulnerability Disclosure Debate

On Thursday 07 August 2003 09:53 am, gridrun wrote:
> Vulnerability Disclosure Debate
> by gridrun on 8/07/03

<SNIP>

> In my humble, personal opinion, this step seeks to maximize income of
> several large security firms, as they would release any detailed
> information only to paying groups of subscribers... An inherently
> dangerous plan, and the argumentation behind it is severely flawed.

<SNIP>

> Apparently, M$' fix doesnt really fix the problem to its full extent,
> and in some cases, is believed to leave machines vulnerable to the
> attack. Again, something which was to be discovered by END USERS loading
> proof-of-concept exploits and trying them on their own systems. To me,
> it makes no sense to blindly trust in a software vendor's patch, when it
> has repeately been shown that software vendor's patches often do not
> fully provide the anticipated security fixes.
>
> Obviously, time has NOT yet come to say goodbye to full disclosure, and
> doing so would leave end users at the fate of some sotware producers'
> industry consortium to take care of OUR security - which they have
> repeatedly shown to be incapable of.

<SNIP>

Hallelujah!  I believe you!  I believe! 
We all in the Choir, back here on this bench.

Write this up in language that moderates invective, cite specific cases and 
exploits - then publish away!  SF needs articles, SysAdmin needs articles...

-- 
Jeremiah Cornelius, CISSP, CCNA, MCSE
email: jcorneli@...mail.com

"What would be the use of immortality to a person who cannot use well a half 
hour?"
--Ralph Waldo Emerson

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ