On Wed, 3 Dec 2003 15:23:31 -0500 John Macdonald <jmm-TU2q2He6PgRlD5gtYiU6kEEOCMrvLtNR at public.gmane.org> wrote:
Nope, we cannot stop them. But delayed disclosure will, in at least some cases, reduce the number of malicious users with such knowledge before a fix is available.
In both of your posts, you start from the assumption that immediate public disclosure contributes nothing, but that's all it is, an assumption. I am positing that putting any limits on the free exchange of this information is inherantly worse than any *potential* harm (never once demonstrated, only theorized) done by such disclosure. Straw men, babies, and bathwater, are all cute, but I have yet to see a strong argument, with evidence, that the free exchange of all security-related information, an important part of not only awareness and education, but also development of new tools to combat vulnerabilities (or the proper eradication of software which is unfixable, ie. Internet Exploder), somehow does more harm than good. There isn't even any evidence that having one "script-kiddie" releasing a worm or virus into the wild is somehow a better or less damaging situation than having two, or five. The point is there are *enough* that one or two more are not going to make one whit of difference. Constraining information, therefore, has no purpose, at least that can be quantified, whereas the uninhibited dialogue on security has enormous positive benefits. The current "regime", as it were, is not working. The internet is gradually sliding away from us into a spam and virus-ridden pit, and it is precisely because certain proprietary software vendors have been allowed to hide their flawed approach to software design, and blame everything on script-kiddies and other malcontents. Instead, we should be exposing these flaws as they become apparent, and if it means that "risk reduction" means using, say, Mozilla, instead of an inferior and insecure product like Internet Explorer, so be it. Extrapolate that analogy as you see fit ;-) -- JoeHill ++ ICQ # 280779813 Registered Linux user #282046 Homepage: www.orderinchaos.org +++++++++++++++++++++++++++ He who controls others may be powerful, but he who has mastered himself is mightier still.-- Lao Tsu -- The Toronto Linux Users Group. Meetings: http://tlug.ss.org TLUG requests: Linux topics, No HTML, wrap text below 80 columns How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml