|
|
BugTraq
Internet Explorer 0day exploit Jul 10 2007 05:09AM Thor Larholm (seclists larholm com) (1 replies) Re: Internet Explorer 0day exploit Jul 10 2007 03:53PM Gadi Evron (ge linuxbox org) (1 replies) Re: Internet Explorer 0day exploit Jul 15 2007 02:40AM Dragos Ruiu (dr kyx net) (1 replies) Re: Internet Explorer 0day exploit Jul 15 2007 02:41AM Gadi Evron (ge linuxbox org) (1 replies) Re: Internet Explorer 0day exploit Jul 18 2007 08:37AM Chris Stromblad (cs outpost24 com) (2 replies) Re: Internet Explorer 0day exploit Jul 18 2007 04:53PM Zow Terry Brugger (zow llnl gov) (1 replies) Re: Internet Explorer 0day exploit Jul 18 2007 08:12PM Chris Stromblad (cs outpost24 com) (1 replies) Re: Internet Explorer 0day exploit Jul 20 2007 09:08PM Chad Perrin (perrin apotheon com) (1 replies) RE: Internet Explorer 0day exploit Jul 21 2007 03:22PM Ken Kousky (kkousky ip3inc com) (2 replies) RE: Internet Explorer 0day exploit Jul 24 2007 05:37AM Hugo van der Kooij (hvdkooij vanderkooij org) |
|
Privacy Statement |
Hash: SHA1
On Wed, 18 Jul 2007, Chris Stromblad wrote:
<deletia>
> One more thing about "advisories". I think it would be better to release
> them immediately and let people know what they are facing. With public
> dissemination of a vulnerability perhaps someone will release a 3rd
> party patch or another inventive way of protecting oneself. Holding it
> "secret" really doesn't help anyone.
With regards to your last statement, I would like to believe that that's
so, or at least that if there is some harm in "early release" of
information that that harm is mitigated (if not outright outweighed) by
the potential good that's done by alerting the community and thereby
allowing them to develop their own responses.
I guess what we're really talking about here is the perceived potential
negative impact of letting the bad guys know that a vulnerability exists
in space X (that they might then attempt to exploit where without that
knowledge, they wouldn't try to exploit it even if it could be argued that
they would attempt to find it) vs. the perceived potential good of
allowing the good guys to attempt to formulate their own defenses
tangential to some sort of "official" response.
It seems to me that without metrics (how many early release advisories
turned into exploits that wouldn't have been created without said
advisory?) that all discussion on this topic is either philosophical or
academic (which is not to imply "without merit").
> Anyways, enough ranting.
I, for one, enjoyed your rant.
- --
Making files is easy under the UNIX operating system. Therefore, users
tend to create numerous files using large amounts of file space. It
has been said that the only standard thing about all UNIX systems is
the message-of-the-day telling users to clean up their files.
-- System V.2 administrator's guide
finger://ephemeron.org/bigby
http://www.ephemeron.org/~bigby/
irc://irc.ephemeron.org/#the_pub
news://news.ephemeron.org/alt.lemurs
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQA/AwUBRp5dzuG50ohcWywfEQIaGwCdFvAHqttbczpDKBmJXkJZrDf1/BgAnRzh
tNxtwD2MTu+qYgDY0EpRCuC0
=xb3M
-----END PGP SIGNATURE-----
[ reply ]