Re: Full Disclosure works, here's proof:

[karl () bagpuss demon co uk (Karl Strickland)]

> Karl Strickland wrote:
>
> Bela> This is ridiculous.  You'd decline to install a security patch because
> Bela> you think not enough hackers know about the hole?
>
> Karl> One important point is, if you dont know what the hole is, you cant be
> Karl> sure its fixed.  Some people are more reluctant to take these things
> Karl> on trust, after seeing what happened with Sun's binmail patches.
>
> If the reader believes that the holes originally exist as stated and
> that SCO has made a good faith effort to fix them, it is sensible to
> install the fixes even if it eventually turns out that a narrower hole
> remains.  

What if it turns out that they open an even bigger hole?  Im thinking of
binmail.

> It's analogous to a terminal cancer patient being told that he
> can try a promising but untested new drug -- except in this case it's
> cured all the lab rats, so the doctor has very high hopes for the drug.

You imply your patches go out without any testing :-)

> I suppose some readers could think the whole thing was an elaborate
> collaborative hoax between 8LGM and SCO to *introduce* Trojan horses...
> I can't help anyone who is that paranoid.

Is that *I* as in Bela or *I* as in SCO?  (No disclaimer in this one).
In the end vendors will do whatever they have to do to stay in business.
As users become more educated on security-issues, they may decide that
they'd rather have vendors who take security seriously, fix bugs quickly
and are more open about the whole process.  When these paranoid people
decide to vote with their chequebooks, maybe SCO, Sun, SGI, DEC and everyone
else will be a little more willing to help.

------------------------------------------+-----------------------------------
Mailed using ELM on FreeBSD               |                    Karl Strickland
PGP 2.3a Public Key Available.            | Internet: karl () bagpuss demon co uk
                                          |