Re: Full Disclosure works, here's proof:

[cklaus () shadow net (Christopher Klaus)]

> > I think I would take the time to install a patch that has been fully
> > disclosed and know that most no-brain wannabe hackers are going to be
> > trying it on my system, versus a patch that fixes a problem that only SCO
> > and CERT know about and I will probably never have a problem with. 

Bela at SCO wrote:
> This is ridiculous.  You'd decline to install a security patch because
> you think not enough hackers know about the hole?

On the same token, it is ridiculous that vendors aren't providing security
patches because they don't think enough hackers know about a hole.  It
wasn't until 8LGM gave you incentive to provide patches that anything was
really done. 

I would install all the patches, but I am sure some admins feel this way
and it is easier to justify to management if you can demonstrate to them
the problem.  Most admins don't install security patches as it is now,
probably due to being of several reasons: inexperienced, more worried
about keeping the systems up than installing security, time constraints,
etc.  But with security problems being fully disclosed, the problem
becomes more in the open and will get fixed quicker. 

-- 
Christopher William Klaus  <cklaus () shadow net>  <iss () shadow net>
Internet Security Systems, Inc.         Computer Security Consulting
2209 Summit Place Drive,              Penetration Analysis of Networks
Atlanta,GA 30350-2430. (404)518-0099. Fax: (404)518-0030