Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Vista
Industry Fears the Red Pill
Richard Forno, 2001-08-30

The security community must choose between the red pill of full disclosure or the blue pill of security through obscurity.

Comments Mode:
Right on! 2001-08-30
Odium Devonix (aka Hatred)
Bad analogy? 2001-09-03
Coldman
Excessive assumptions lead to inaccurate results 2001-09-03
Anonymous
Full Disclosure 2001-09-03
H Carvey <keydet89@yahoo.com>
The red pill 2001-09-06
Dave Hudson (1 replies)
The red pill 2001-09-17
abaximus "mailto:pr0digy26@hotmail.com"
At least it's not the 'little purple pill'... 2002-01-29
Anonymous
Huh. Before I read this I would've said I was all for 'full disclosure'...
But surprisingly, after reading it, I'm actually not so sure anymore.
You brought up an interesting point - but didn't address it. If the 'majority of the world's computing community' prefers the blue pill, how do you make them want the red one?
I'm not sure that simply publishing the exploits will do that - as there are really only 2 types of people interested in the information outside of the vendors - those who want to use the exploit, and those who want to protect against it.
What's wrong with the 3rd party solution? Why must the concept of 'membership groups' get immediately discarded as invalid? Because they aren't rebel coders, lone-guns, and solitary admins trying to 'bring the law' to the ol' west of networking security?
You speak of ethics - ethically, I think the vendor has 2 responsibilities: 1) to react to, and fix, (or at least find work-arounds) for discovered holes/bugs/exploits, 2) to not make my data any more vulnerable than it already is - which means not putting the information about that exploit into the hands of someone who will misuse it before you put some sort of a solution into mine.
Sorry, maybe I'm supposed to say "yeah! me too!" here, but personally, I have neither the time nor the inclination to be cleaning up after the messes of sloppy coding on the vendor's part - I've got my own job to do!
If the solution is that there is a 3rd party group out there, of folks who *want* to spend time looking for the fix, more power to them.
I guess I choose neither the blue nor the red. Unfortunately, it's not really our choice, now, is it? The article implies I have a choice - personally, unless I coded the product myself, that's not the case. I'm at the mercy of the vendor to supply me with either a) a fix, or b) the specs on the issue.
So again, what was my choice?
I'm pretty sure that full disclosure (read: red pill) isn't really an option...


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/20/10233#10233




 

Privacy Statement
Copyright 2008, SecurityFocus