Re: Vulnerability Disclosure Debate

[Jeremiah Cornelius <jeremiah () nur net>]

On Thursday 07 August 2003 09:53 am, gridrun wrote:
> Vulnerability Disclosure Debate
> by gridrun on 8/07/03

<SNIP>

> In my humble, personal opinion, this step seeks to maximize income of
> several large security firms, as they would release any detailed
> information only to paying groups of subscribers... An inherently
> dangerous plan, and the argumentation behind it is severely flawed.

<SNIP>

> Apparently, M$' fix doesnt really fix the problem to its full extent,
> and in some cases, is believed to leave machines vulnerable to the
> attack. Again, something which was to be discovered by END USERS loading
> proof-of-concept exploits and trying them on their own systems. To me,
> it makes no sense to blindly trust in a software vendor's patch, when it
> has repeately been shown that software vendor's patches often do not
> fully provide the anticipated security fixes.
>
> Obviously, time has NOT yet come to say goodbye to full disclosure, and
> doing so would leave end users at the fate of some sotware producers'
> industry consortium to take care of OUR security - which they have
> repeatedly shown to be incapable of.

<SNIP>

Hallelujah!  I believe you!  I believe! 
We all in the Choir, back here on this bench.

Write this up in language that moderates invective, cite specific cases and 
exploits - then publish away!  SF needs articles, SysAdmin needs articles...

-- 
Jeremiah Cornelius, CISSP, CCNA, MCSE
email: jcorneli () hotmail com

"What would be the use of immortality to a person who cannot use well a half 
hour?"
--Ralph Waldo Emerson
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html