Re: Microsoft Cries Wolf ( again )

[Peter van den Heuvel <peter () bank-connect com>]

> The ZDNet article hit the point right on the head.  It is irresponsible to
> leave the vendor uninformed before going public.

I find all these posts on irresponsible behaviour a bit surprising. 
Driving through a red light is irresponsible, blowing oneanothers heads 
out with firearms is irresponsible (and USA citizens seem to be 
cunningly good at that), and still it happens. The problem is not going 
away, so face it and learn to live with it best you can.

So, lets make it illegal! Yeah, like that ever solved a problem. It 
would make more sense to research a bit more into why people do this, 
how they could be convinced to be more social, and most particularly, 
how the process of "decent" disclosure could be facilitated. None of the 
recent attempts of the industry countermeasures look very productive. In 
the mean time, one can of course fall back to calling the exploit 
publishers stupid idiots. There are no doubt people who believe that 
this is effective and will convince the subjects to adopt the opposed 
position.

May I suggest the "industry" opens up a hall of fame page for hackers 
who have found exploits, that they commit to a reasonable policy 
regarding published exploits, that they ask the community what they 
consider reasonable, that they develop a corparate control and 
communications structure to deal with such issues in a technically 
effective way (instead of a legally ineffecyive way), that they learn to 
understand how these exploits are unvieled and adopt the technology to 
scan products before they hit the market, that they start facing the 
consequences of their behaviour and inadequacy instead of trying to kill 
the messenger. Ah well, guess not.

Peter

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html