RE: [vor] Re: Can we afford full disclosure of security holes?

[Lyle <Lyle () lcrcomputer com>]

I don't normally post on lists like this.  I certainly don't have the
knowledge or abilities that eEye or many of the others here have and I
certainly don't pretend to.  But I am here primarily to listen, to learn
what I can.  I am a System Administrator by trade as an independent IT
consultant.  I need to know where the next attack is coming from before the
vendor gets around to patching it or to recognize a hole in my security plan
at my customer's site.

My customer's site is not the same as any other customer site that is
around.  Every one is unique.  Their configuration is determined by money,
expertise, needs and available technology.  Where this varies widely is what
Internet connectivity is available at what price.  And this is within a very
major metropolitan area.

So in the end, one size does not fit all.  How I react and cover up any
particular security hole depends on a couple of things, primarily, 1) How
vulnerable is this customer to this threat?  2) How do I protect this
customer from this threat and at what cost?  #2 requires the knowledge of
how the threat spreads and what it does and how the customer's
infra-structure is  built.  

I, for one, cann't do my job without the help of full disclosure as I sure
cann't depend on Microsoft or any other vendor to release information found
here on a timely fashion to make sure my customers are covered.  If this
were a better world and the software vendors did a better job at disclosing
the problems, maybe just maybe full disclosure wouldn't be needed.  As it is
now, I cann't depend on the vendor to give me the information I need to make
good decisions.

Lyle