Bugtraq mailing list archives
Re: Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994
From: pwh () bradley bradley edu (Pete Hartman)
Date: Mon, 28 Nov 94 18:56:06 -0600
My key concern is that people on the net, and on these lists in particular, spout opinion as proven fact.
And just exactly WHERE is it that your opinion has become proven fact as opposed to the rest of us poor sods? You don't sound like you're including yourself in this sweeping criticism.
This perpetuates folklore, just as knocking on wood or avoiding black cats. We have no general evidence to prove in any real way that full disclosre helps/hurts more people than it hurts/helps. We have no evidence that full disclosure hastens/delays release of a fix. And we have no evidence that the majority of "black hats" know and use all of these flaws before they are publicly announced (although there is some partial evidence to the countrary).
What evidence? Seems to me that the contrary evidence is that that is contrary to your stance. 8lgm published scripts about rdist and /bin/mail and suddenly vendors were scrambling to patch them, despite the fact that these utilities have been around almost as long as BSD itself, and should have been patched then. So what evidence do you have that there are bugs that have been fixed that weren't widely distributed first?
If we are going to improve the way we handle security, we have to start by examining what we really know and not what we have experienced locally.
When many local experiences are pooled, and all appear to be similar, doesn't that seem to indicate a trend? Something statistically more significant than my own personal anecdote? The pooling of experiences seems to indicate to me that knowledge is power, and if you deny those who NEED the power sufficient knowledge, they will be incapable of protecting themselves effectively from those who DO have the power. Whether there's an organized "black hat" network or not is irrelevant. One black hat telling another is more organized than we white hats can be if we're treated like goddamn mushrooms.
Current thread:
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994, (continued)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Karl Strickland (Nov 28)
- Full vs. Partial Dsiclosure Nathan Lawson (Nov 28)
- (fwd) In reply to comments about new policy (fwd) Paul 'Shag' Walmsley (Nov 28)
- Re: (fwd) In reply to comments about new policy (fwd) anthony baxter (Nov 28)
- Old vulnerability disclosure please? (fwd) Jeon Young-mi (Nov 29)
- Re: (fwd) In reply to comments about new policy (fwd) Pug (Nov 30)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Robert M. Haas (Nov 29)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Casper Dik (Nov 29)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Doug Siebert (Nov 29)
- STOP! Aleph One (Nov 29)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Pat Myrto (Nov 29)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Karl Strickland (Nov 30)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Gene Spafford (Nov 30)