Re: How much time is appropriate for fixing

[Григорий Братислава <musntlive () gmail com>]

On Tue, Jul 10, 2012 at 4:37 PM, Gary E. Miller <gem () rellim com> wrote:
> Yo Thor!
>
> On Tue, 10 Jul 2012 19:58:16 +0000
> "Thor (Hammer of God)" <thor () hammerofgod com> wrote:
>
> > People do not disclose their research to make
> > the world a better place.  They do it for recognition or for money.
>
> I would argue there is a 3rd reason.  Self defense.  I and others have
> had issues of our servers being attacked by unkown evil doers.  To keep
> our servers running we need to reverse engineer the hack and get the
> bug fixed or the attack vector blocked.  Until '* Disclosure' in its many
> aspects was common it was virtually impossible to get vendors to fix
> open holes being actively used by attackers.  The public shaming of
> '* Disclosure' large companies found denial a very easy and cheap
> resonse to bugs that were killing us.

Poor argument. If you is smart enough to is reverse engineer the
threat, why can't you forward engineer a fix and post it publicly so
that is others don't get hacked.

E.G (using my Bejtlich is accent: "We are being attacked from China
obviously. This is how they are attacking, this is what they are
affecting, this is what we did to get it fixed. Patch yourself before
is evil Chinese attack you too! Otherwise, wait for vendor to post
next patch Tuesday fixes and in is meantime, allow them to roam along
your network like is Travelocity Gnome"

Public shaming of not only is vendor of shoddy software, but is
attacker, is key no one is think about.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/