On Wed, Dec 03, 2003 at 03:23:44PM -0500, JoeHill wrote:

On Wed, 3 Dec 2003 15:23:31 -0500 John Macdonald <jmm-TU2q2He6PgRlD5gtYiU6kEEOCMrvLtNR at public.gmane.org> wrote:

...

Nope, we cannot stop them. But delayed disclosure will, in at least some cases, reduce the number of malicious users with such knowledge before a fix is available.

In both of your posts, you start from the assumption that immediate public disclosure contributes nothing, but that's all it is, an assumption. I am positing that putting any limits on the free exchange of this information is inherantly worse than any *potential* harm (never once demonstrated, only theorized) done by such disclosure. Straw men, babies, and bathwater, are all cute, but I have yet to see a strong argument, with evidence, that the free exchange of all security-related information, an important part of not only awareness and education, but also development of new tools to combat vulnerabilities (or the proper eradication of software which is unfixable, ie. Internet Exploder), somehow does more harm than good.

If both sides of an argument take the approach that "if it is not proven otherwise, my belief should prevail" then you never come to a useful resolution. Far from proving that immediate disclosure has an advantage over delayed disclosure, you haven't even suggested any way in which it *might* have an advantage. All of your arguments apply only to the comparison against non-disclosure; which no-one is trying to claim as a good practice. That is a straw man - you put a false argument into the mouths of your opponent so that you can knock it down. It does not accomplish any useful progress in the discussion. It is quite obvious that immediate disclosure will sometimes (not always but sometimes) cause damage that delayed disclosure would ameliorate. This will happen when: - no cracker happened to already know about the particular hole being disclosed - only one cracker already knew about the hole, but he was saving it to use for a particular attack - every cracker that knew about this hole had other things to do and wasn't developing an exploit yet, but the disclosure made the potential damage time limited and so it was worth switching to exploiting this hole at this time instead of other work Try and prove that none of these could ever happen! (But don't just prove that they will sometimes not happen - I already admit that, but that is irrelevant. You are arguing that immediate disclosure should be done for every case.) -- The Toronto Linux Users Group. Meetings: http://tlug.ss.org TLUG requests: Linux topics, No HTML, wrap text below 80 columns How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml