Bugtraq mailing list archives

Re: Full Disclosure works, here's proof:

From: cklaus () shadow net (Christopher Klaus)
Date: Sat, 3 Dec 94 14:28:36 EST


If 8lgm had only reported to SCO and Sun, I bet it would have taken
just as long (short).

--spaf


Look, the guy from SCO posted that they had time to fix the bugs reported
by 8LGM and they didn't.  Only when 8lgm said they were going to go full
disclosure, did they start to work on binary patches for all their
systems.  It's obvious some people don't understand how corporate America
thinks.  The 1st question they ask about a problem is how many people
know.  With that in mind, the problem takes on a priority determined by
what the public knows.  I do not really think a lot of people need
scientific proof to understand this concept and hard core data to back it
up. 

Maybe CERT could provide us a graph of which companies were reported bugs,
how long it took to fix them? whether they were publicly disclosed? how
many bugs that are ancient that still aren't fixed? etc, etc. <grin> Let's
see my tax money put to good use here. 

Another point I would like to make is that full disclosure should not only
motivate vendors to provide fixes, but EVEN more importantly, it should
provide motivation to admins who like their jobs, to install the patches.
I think I would take the time to install a patch that has been fully
disclosed and know that most no-brain wannabe hackers are going to be
trying it on my system, versus a patch that fixes a problem that only SCO
and CERT know about and I will probably never have a problem with. 

Plus, it would easier to justify to management more money to spend on
installing security patches and such, if you can say,'These problems are
well known by everyone on the Internet and are being exploited everywhere
so we need to spend $$ to fix them before we really get hit hard.'
versus,'Yea, VendorX's just released some patches that no one knows what
they fix, if they really fix anything, nor are there a lot of people
exploiting the problems'. 

For Spaf's satisfaction, the above statements are just my own opinions and
not hard core facts, nor do they reflect reality except for what I have
seen in the business place and colleagues of mine also have said is true. 


-- 
Christopher William Klaus  <cklaus () shadow net>  <iss () shadow net>
Internet Security Systems, Inc.         Computer Security Consulting
2209 Summit Place Drive,              Penetration Analysis of Networks
Atlanta,GA 30350-2430. (404)518-0099. Fax: (404)518-0030

Current thread:

Re: empty messages?, (continued)
- - - Re: empty messages? Walker Aumann (Dec 02)
  - /dev/tcp, and a LD_LIBRARY_PATH question. That Whispering Wolf... (Dec 02)
    - Re: /dev/tcp, and a LD_LIBRARY_PATH question. anthony baxter (Dec 03)
    - Re: /dev/tcp, and a LD_LIBRARY_PATH question. Robert M. Haas (Dec 03)
  - full disclosure list clarification Pete Hartman (Dec 02)
- pt_chmod carson () lehman com (Dec 02)
  - Re: pt_chmod Karl Strickland (Dec 02)
  - mktemp.. *Hobbit* (Dec 02)
- bugtraq list problems (resolved?) Admin/Support (Dec 02)
- full-disclosure list Pete Hartman (Dec 02)
- Re: Full Disclosure works, here's proof: Christopher Klaus (Dec 03)
- Re: Full Disclosure works, here's proof: Bela Lubkin (Dec 03)
  - Re: Full Disclosure works, here's proof: Karl Strickland (Dec 04)
    - Re: Full Disclosure works, here's proof: Paul 'Shag' Walmsley (Dec 04)
  - Re: Full Disclosure works, here's proof: Christopher Klaus (Dec 04)
- Re: Full Disclosure works, here's proof: Bela Lubkin (Dec 04)
  - Re: Full Disclosure works, here's proof: Karl Strickland (Dec 04)
- Re: Full Disclosure works, here's proof: smb () research att com (Dec 05)
- Re: Full Disclosure works, here's proof: Randy Bias (Dec 05)