[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200308071113.25742.jeremiah@nur.net>
From: jeremiah at nur.net (Jeremiah Cornelius)
Subject: Vulnerability Disclosure Debate
On Thursday 07 August 2003 09:53 am, gridrun wrote:
> Vulnerability Disclosure Debate
> by gridrun on 8/07/03
<SNIP>
> In my humble, personal opinion, this step seeks to maximize income of
> several large security firms, as they would release any detailed
> information only to paying groups of subscribers... An inherently
> dangerous plan, and the argumentation behind it is severely flawed.
<SNIP>
> Apparently, M$' fix doesnt really fix the problem to its full extent,
> and in some cases, is believed to leave machines vulnerable to the
> attack. Again, something which was to be discovered by END USERS loading
> proof-of-concept exploits and trying them on their own systems. To me,
> it makes no sense to blindly trust in a software vendor's patch, when it
> has repeately been shown that software vendor's patches often do not
> fully provide the anticipated security fixes.
>
> Obviously, time has NOT yet come to say goodbye to full disclosure, and
> doing so would leave end users at the fate of some sotware producers'
> industry consortium to take care of OUR security - which they have
> repeatedly shown to be incapable of.
<SNIP>
Hallelujah! I believe you! I believe!
We all in the Choir, back here on this bench.
Write this up in language that moderates invective, cite specific cases and
exploits - then publish away! SF needs articles, SysAdmin needs articles...
--
Jeremiah Cornelius, CISSP, CCNA, MCSE
email: jcorneli@...mail.com
"What would be the use of immortality to a person who cannot use well a half
hour?"
--Ralph Waldo Emerson
Powered by blists - more mailing lists