Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Hacking's American as Apple Cider

From: "Marcus J. Ranum" <mjr () ranum com>
Date: Wed, 21 Sep 2005 12:12:14 -0400
pageexec () freemail hu wrote:

now, users don't become vulnerable because of disclosure (i know
that the 'responsible' disclosure guys like to mislead the public
with that, no idea why you picked up their line...), they become
vulnerable by running buggy apps (or using weak crypto in the
analogy).


I didn't pick up their line; they picked up mine. My involvement in
that particular debate goes back a long way. :)

Anyhow, I completely disagree with your assertion that
"users don't become vulnerable because of disclosure"

I believe that users become vulnerable through a combination
of events:
        - choice of what code the user will be running
        - pre-existence of a flaw in the code
        - discovery of the flaw
        - exploitation of the flaw
All four of these things must happen (in approximately that order)
for a user to become vulnerable. If any single one of those four
does not happen, the user is not vulnerable to a particular flaw.

Now, anyone involved in any of those four steps must assign
or accept moral onus for the consequences of their actions
or inactions, if they result in someone being victimized. How
you chose to do so depends on your personal value system,
if you have one.

mjr.
Previous By Date Next
Previous By Thread Next

Current thread: