Bugtraq mailing list archives
Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994
From: rhaas () cygnus arc nasa gov (Robert M. Haas)
Date: Tue, 29 Nov 1994 23:39:29 -0800
Hmm, not exactly. Experiments require controls and statistical bases, not recollection of previous events.
That doesn't necessarily follow. I'm sure no one on bugtraq or anyplace else has done a careful statistical analysis of previous security problems, but that's not to say it's impossible. If I had 30 years experience as a doctor, tabulated my medical records, and found that 90% of the people who came in with lung cancer were smokers, I could reasonably conclude that the two were related (perhaps not causally) even if I hadn't started out my medical career intending to do such a study.
My key concern is that people on the net, and on these lists in particular, spout opinion as proven fact. This perpetuates folklore, just as knocking on wood or avoiding black cats.
How DO you intend for people to present their opinions, if not by stating them? Nobody takes a statement of opinion (i.e. "I think that Robert Haas is an idiot") to be a statement of fact (i.e. "research indicates that Robert Haas has an IQ of 10"). I don't understand how the statement that I am an idiot propagates folklore... Besides, a lot of what people have said has been qualified by statements like "at my site, this is what happened, and based on that, I think..." which is perfectly valid, IMHO. At this point, the debate on this topic has become so heated that no matter how it is eventually resolved (and with or without facts) a lot of people will be unhappy. Maybe we should stop asking (as 8lgm apparently has) "which one is better for the security of the Internet at large?" (which may be undecidable) and instead ask "which one will make fewer people unhappy?" (which may be something we can reasonably hope to figure out in some finite period of time)
We have no general evidence to prove in any real way that full disclosre helps/hurts more people than it hurts/helps. We have no evidence that full disclosure hastens/delays release of a fix. And we have no evidence that the majority of "black hats" know and use all of these flaws before they are publicly announced (although there is some partial evidence to the countrary).
Well, if we have no evidence... then how come you are taking a position on the issue at all? If you really believe that there is no evidence on either side, then you can't legitimately take sides. It looks to me like you are taking sides (but hey, that's just my opinion) in which case you must be offering an opinion. This strikes me a rather similar to what you were telling the rest of us not to do. ...Robert
Current thread:
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Bruce Barnett (Nov 27)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Alan Hannan (Nov 28)
- <Possible follow-ups>
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Paul Howell (Nov 28)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Gene Spafford (Nov 28)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Karl Strickland (Nov 28)
- Full vs. Partial Dsiclosure Nathan Lawson (Nov 28)
- (fwd) In reply to comments about new policy (fwd) Paul 'Shag' Walmsley (Nov 28)
- Re: (fwd) In reply to comments about new policy (fwd) anthony baxter (Nov 28)
- Old vulnerability disclosure please? (fwd) Jeon Young-mi (Nov 29)
- Re: (fwd) In reply to comments about new policy (fwd) Pug (Nov 30)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Gene Spafford (Nov 28)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Robert M. Haas (Nov 29)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Casper Dik (Nov 29)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Doug Siebert (Nov 29)
- STOP! Aleph One (Nov 29)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Pat Myrto (Nov 29)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Karl Strickland (Nov 30)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Gene Spafford (Nov 30)