Bugtraq mailing list archives
Re: Full Disclosure works, here's proof:
From: cklaus () shadow net (Christopher Klaus)
Date: Sat, 3 Dec 94 14:28:36 EST
If 8lgm had only reported to SCO and Sun, I bet it would have taken just as long (short). --spaf
Look, the guy from SCO posted that they had time to fix the bugs reported by 8LGM and they didn't. Only when 8lgm said they were going to go full disclosure, did they start to work on binary patches for all their systems. It's obvious some people don't understand how corporate America thinks. The 1st question they ask about a problem is how many people know. With that in mind, the problem takes on a priority determined by what the public knows. I do not really think a lot of people need scientific proof to understand this concept and hard core data to back it up. Maybe CERT could provide us a graph of which companies were reported bugs, how long it took to fix them? whether they were publicly disclosed? how many bugs that are ancient that still aren't fixed? etc, etc. <grin> Let's see my tax money put to good use here. Another point I would like to make is that full disclosure should not only motivate vendors to provide fixes, but EVEN more importantly, it should provide motivation to admins who like their jobs, to install the patches. I think I would take the time to install a patch that has been fully disclosed and know that most no-brain wannabe hackers are going to be trying it on my system, versus a patch that fixes a problem that only SCO and CERT know about and I will probably never have a problem with. Plus, it would easier to justify to management more money to spend on installing security patches and such, if you can say,'These problems are well known by everyone on the Internet and are being exploited everywhere so we need to spend $$ to fix them before we really get hit hard.' versus,'Yea, VendorX's just released some patches that no one knows what they fix, if they really fix anything, nor are there a lot of people exploiting the problems'. For Spaf's satisfaction, the above statements are just my own opinions and not hard core facts, nor do they reflect reality except for what I have seen in the business place and colleagues of mine also have said is true. -- Christopher William Klaus <cklaus () shadow net> <iss () shadow net> Internet Security Systems, Inc. Computer Security Consulting 2209 Summit Place Drive, Penetration Analysis of Networks Atlanta,GA 30350-2430. (404)518-0099. Fax: (404)518-0030
Current thread:
- Re: empty messages?, (continued)
- Re: empty messages? Walker Aumann (Dec 02)
- /dev/tcp, and a LD_LIBRARY_PATH question. That Whispering Wolf... (Dec 02)
- Re: /dev/tcp, and a LD_LIBRARY_PATH question. anthony baxter (Dec 03)
- Re: /dev/tcp, and a LD_LIBRARY_PATH question. Robert M. Haas (Dec 03)
- full disclosure list clarification Pete Hartman (Dec 02)
- pt_chmod carson () lehman com (Dec 02)
- Re: pt_chmod Karl Strickland (Dec 02)
- mktemp.. *Hobbit* (Dec 02)
- bugtraq list problems (resolved?) Admin/Support (Dec 02)
- full-disclosure list Pete Hartman (Dec 02)
- Re: Full Disclosure works, here's proof: Christopher Klaus (Dec 03)
- Re: Full Disclosure works, here's proof: Bela Lubkin (Dec 03)
- Re: Full Disclosure works, here's proof: Karl Strickland (Dec 04)
- Re: Full Disclosure works, here's proof: Paul 'Shag' Walmsley (Dec 04)
- Re: Full Disclosure works, here's proof: Christopher Klaus (Dec 04)
- Re: Full Disclosure works, here's proof: Karl Strickland (Dec 04)
- Re: Full Disclosure works, here's proof: Bela Lubkin (Dec 04)
- Re: Full Disclosure works, here's proof: Karl Strickland (Dec 04)
- Re: Full Disclosure works, here's proof: smb () research att com (Dec 05)
- Re: Full Disclosure works, here's proof: Randy Bias (Dec 05)