Re: Speculation

["Paul Melson" <pmelson () gmail com>]

On Sat, Jul 19, 2008 at 10:22 AM, Paul Vixie <vixie () isc org> wrote:
> would you have preferred that the attack vector be completely published on
> day 1, rather than a cert advisory with details to follow a month later at
> defcon, so that your recommendations could be completely informed?  note
> that in that case it would also go in the wild before you could patch.  is
> that what you want the next discoverer to do for you?

What you - and this is the collective "you" referring to the vendors
and researchers on both sides of this argument - seem to forget is
that secops folks aren't left with patching as our only option.  We
don't necessarily need a patch to mitigate, even if temporarily, any
particular risk.  However, these alternate strategies tend to require
more information about the vulnerability and attack than a patch does.
 So while I would always prefer to know about a vulnerability prior to
a first strike attack, I'd still also prefer to be in the loop, not
outside of it.

Risk management and defensive reaction strategies rely on accurate,
timely, detailed information to be highly successful.  When vendors
deny us (their customers!) that information, it's no better than when
security researchers publish a PoC to a mailing list without telling
the vendor.  It's a blindside either way.

PaulM
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave