
On Wed, 3 Dec 2003 09:59:43 -0500 (EST) Robert Brockway <robert-5LEc/6Zm6xCUd8a0hrldnti2O/JbrIOy at public.gmane.org> wrote:
Well, there's my position. I won't be replying to this thread again unless interesting new material is added. I find all too often that people will follow up, just repeating (or slightly varying from) what has already been said and the arguments go round and round. As far as I'm concerned Joe and I have differing opinions and have both expressed them now. I won't waste time following up if I'm only going to be repeating what I've already said.
Like to have the last word, eh? People like car ananlogies, so here goes: A certain brand of tire, it is discovered, has a propensity for explosive tread separation at highway speeds. Do we keep this info private, until the vendor can supply a patch? No. We immediately inform the public that there is a risk, so that they can take steps to reduce that risk, such as using another brand of tire or modifying their driving habits, or, if so inclined, staying off the road altogether until the vendor can supply a tire which does not go "boom". I have found/seen no empirical evidence to suggest that crackers (you are correct, I think in that distinction) benefit from disclosure, but I have read many accounts of public disclosure of security risks leading to timely and effective mitigation, such as the examples I have already posted. If someone could point me to a source which contradicts this evidence, I would gladly eat my words, otherwise, the idea that these script kiddies benefit *substantially* from public disclosure of vulnerabilities remains, in my mind, merely a theory. The fact that it is proposed primarily by proprietary software vendors also makes me suspicious. To wit: http://www.wild.lib.fl.us/bib/disclosure-by-date.html You will notice that proprietary vendors are by far the most vocal about keeping a lid on newly discovered exploits, whereas the actual security professionals see more good than harm in publicly disclosing them. My favourite quote, from: http://www.computerworld.dk/usarticles.asp?Mode=1&USArticleID=2682 ""On analysis of the code of the Slammer worm it is apparent that my code was used as its template," Litchfield wrote. Many parts of the worm's code were identical to the published proof of concept code, but the worm was not simply a copy of the published example, Litchfield said. "It (is) apparent that whoever authored the worm knew how to write buffer overflow exploits and would have been capable of doing this without using my shellcode as a template," Litchfield wrote. The code taken from Litchfield's published exploit saved the worm's real writer "about 20 or so minutes," Litchfield wrote." -- JoeHill ++ ICQ # 280779813 Registered Linux user #282046 Homepage: www.orderinchaos.org +++++++++++++++++++++++++++ "Where the state begins, individual liberty ceases, and vice versa." -- Bakunin -- The Toronto Linux Users Group. Meetings: http://tlug.ss.org TLUG requests: Linux topics, No HTML, wrap text below 80 columns How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml