On Wed, 3 Dec 2003 09:59:43 -0500 (EST) Robert Brockway <robert-5LEc/6Zm6xCUd8a0hrldnti2O/JbrIOy at public.gmane.org> wrote:
Software vulnerabilities are normally fixed by patches but I'll agree that security overall is more a function of awareness. I think this sentence mixes up too different concepts (specific security issues vs security procedures and knowledge).
Not at all. You are again assuming that "script-kiddies" gain somehow from the widespread "awareness" of vulnerabilities, an assumption to which I do not subscribe, mainly for lack of evidence.
From Security Focus:
"A successful attacker requires three things: the opportunity to launch an attack, the capacity to successfully execute the attack, and the motivation to attack. An opportunity to launch an attack requires a vulnerable system and an access path to the system. The capability to successfully execute the attack requires knowledge of the vulnerability and the tools to exploit it. Proponents of the information dictatorship argument are targeting the second requirement of a successful attacker: his capability to launch an attack. This approach to the problem of computer security is flawed, and can only fail. First, we cannot stop some small number of malicious users from gaining knowledge of vulnerabilities, or access to the tools that exploit them. Vulnerability information and exploits have legitimate uses with the computer security field. They are part of research, are required in penetration testing, and used by system administrator to test their systems, mitigate the risks by gaining an in-depth understanding of the problem, and to verify that vendor fixes work as advertised." Link: http://www.securityfocus.com/news/270 -- JoeHill ++ ICQ # 280779813 Registered Linux user #282046 Homepage: www.orderinchaos.org +++++++++++++++++++++++++++ "The more laws and order are made prominent, the more thieves and robbers there will be."-- Lao Tsu -- The Toronto Linux Users Group. Meetings: http://tlug.ss.org TLUG requests: Linux topics, No HTML, wrap text below 80 columns How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml